Industry news

Accounts Payable Security Report May 2023

photo of niek dekker
Niek Dekker
4 Min
accounts-payable-security-report-march-2023

Each month, the team at Eftsure monitors headlines for the latest accounts payable (AP) news. We bring you all the essential stories in our Security Report so your team can stay secure.

Beware the “VIP invoice authentication” tactic

A payment fraud tactic is gaining steam among scammers. Rather than just hijacking existing email threads, fraudsters are creating new ones that look and sound like they’re from the recipient’s bosses. 

The tactic starts with a finance or AP employee receiving an emailed payment request and an invoice from a trusted supplier – crucially, a senior executive from the employee’s organisation will be CC’d on the email. Then the exec responds within the chain and asks the employee to prioritise the payment. But a closer look at the email addresses reveals that the entire “conversation” has been fabricated and the accounts are fake. 

It’s not a new strategy. For years, fraudsters have been using all kinds of social engineering and business email compromise (BEC) tactics to trick staff into making fraudulent payments. But this particular approach appears to be gaining in popularity, and the appearance of a senior executive jumping in can lure some people into skipping their usual verification steps. Make sure your team is aware of the tactic and that they follow necessary checks before processing payment requests

ACCC report: companies lost $224m to BECs in 2022

In its latest Targeting Scams report, the Australian Competition and Consumer Commission found that Australians lost a staggering $3.1 billion to scams in 2022, an 80% increase compared to 2021.

And the scam that impacted businesses the most? Payment redirection scams, also known as business email compromise (BEC). The ACCC says that the amount of money lost to these scams increased by 73% since the previous year, but it also estimates that only 13% of victims report to Scamwatch. Across reporting from Scamwatch, ReportCyber and the AFCX, combined losses from BEC totaled $224 million.

However, the report also estimated that 30% of victims don’t report scams at all, so it’s unclear just how vast (and costly) the problem might be.

HWL Ebsworth faces random demands

ALPHV ransomware group is demanding payment after it claims to have stolen a four-terabyte dataset from Australian law firm HWL Ebsworth. This includes a wide range of internal and employee data, such as financial reports, accounting data, loans data and insurance agreements.

Crucially, it also includes client data, including credit card information and financial data. To further pressure the firm into paying the ransom, the Russia-linked hacker group is likely to drip-feed data onto the dark web, similar to what happened during Medibank’s breach. 

The AFR is reporting that a forensic report connects the breach to an employee’s personal device – a stark reminder that human error still outweighs almost every other cyber risk. 

2023-24 Federal Budget takes aim at scammers

With scam losses on the rise, the Federal Government is investing in protections for Australian consumers and businesses. It has allocated more than $87 million toward new systems, entities and capabilities, including:

  • An SMS sender ID registry, which will require registration for anyone wanting to use SMS Sender IDs and make it harder for scammers to spoof the Sender IDs of trusted brands and government agencies
  • The establishment of a new National Anti-Scam Centre, sitting inside the Australian Competition and Consumer Commission, will focus on improving data-sharing that combats scams and strengthening public-private partnerships
  • Greater capabilities for fighting phishing and investment scams

These are all promising investments and smart steps for fighting scammers. But it’s unclear how many measures will be appropriate for organisations rather than individual consumers – for instance, investment scams primarily impacted consumers in 2021-22 while companies’ losses mostly resulted from BEC scams.

ERP TechnologyOne reports ‘cyber incident’

Australian enterprise resource planning (ERP) provider, TechnologyOne, is still investigating the access of its internal Microsoft 365 platform by an “unauthorised third party.” The company describes the access as “illegal” in a financial filing.

The software business says its customer-facing SaaS platform wasn’t affected since it isn’t connected to M365. It also says it managed to contain the threat and that the system was “successfully restored” a few days later, though investigations are still underway to determine impacts to customers.

Headquartered in Brisbane, TechnologyOne provides a wide range of financial features, including digitised and automated processes across accounts payable, accounts receivable and payroll. The business provides services for a multitude of prominent organisations, including the New Zealand Parliamentary Service.

GoAnywhere hack attributed to zero-day vulnerability

Fortra says its GoAnywhere file transfer system was hacked because of a zero-day vulnerability – that is, a software vulnerability that wasn’t already known.

In a post-mortem report, Fortra says the vulnerability is what led to the compromise of end-user data, affecting a range of Australian organisations like Rio Tinto, Crown Resorts and Tasmania’s Department for Education, Children and Young People (DECYP).

Related articles

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.