Accounts Payable Security Report November 2022

Minister Against Making Banks Pay for BEC

Despite calls for the banks to be liable when scammers succeed in redirecting funds to their own accounts, it appears the Government will not hold banks responsible.

Financial Services Minister, Stephen Jones, rejected the idea that banks should be held liable for payment redirection scams, such as Business Email Compromise. According to the Minister, making banks pick up the tab would only lead to an increase in scam activity.

The Minister did support setting high standards for banks to follow, which should limit the opportunities for scammers. However, assuming banks meet these high obligations, then they should not be held financially responsible for refunding misdirected payments to scam victims.

“If banks always pay the net result creates a honey pot for scammers,” Jones said.

Given these sentiments, it appears clear that banks in Australia will not be financially liable for payment redirection scams any time soon. Ensuring funds are sent to the intended recipient will continue to be the responsibility of the sender for the foreseeable future.

Cost of Scams Surging to $4B

Scam rates are surging, with Australians on track to lose a whopping $4 billion next year.

That figure is more than double the amount lost last year according to Australian Government figures. Given that many scam victims are reluctant to come forward, it is likely that the real cost is even higher.

With scams now impacting many thousands of Australians, the Government announced it will spend $10 million to finance a National Anti-Scam Centre.

“When Australians are struggling with cost-of-living increases, to have their life savings ripped away from them is just unbearable,” Financial Services Minister, Stephen Jones, said.

“That’s money that should be in the small businesses or households, not flowing to these criminals and scumbags ripping Australians off.”

The new centre will be overseen by the Australian Consumer and Competition Commission (ACCC), the agency that runs Scamwatch.

BEC Gangs Impersonate Law Firms

A Business Email Compromise (BEC) syndicate named ‘Crimson Kingsnake’ is impersonating well-known international law firms to trick recipients into paying fake overdue invoices.

It is believed they are impersonating lawyers as their targets are likely to be intimidated when receiving threatening emails from large law firms.

Analysts report having identified 92 fake domains linked to these scams. Each fake domain is similar to a genuine law firm domain.

This tactic is known as ‘typosquatting.’ It is a tactic that often succeeds in deceiving victims as the email address appears authentic at first glance. The body of the emails contain the logos and letterheads of the impersonated entities. The emails are also crafted professionally, without spelling or grammatical errors.

The international law firms being impersonated include:

• Allen & Overy
• Clifford Chance
• Deloitte
• Dentons
• Eversheds Sutherland
• Herbert Smith Freehills
• Hogan Lovells
• Kirkland & Ellis
• Lindsay Hart
• Manix Law Firm
• Monlex International
• Morrison Foerster
• Simmons & Simmons
• Sullivan & Cromwell

The scammers are using a tactic known as “blind BEC attacks.”

They send an email to a target advising that they have a long-overdue invoice. If the target responds asking for additional information, the scammers provide a fake description of the legal services that were rendered.

In cases where the target disputes any outstanding invoice, the scammers also impersonate an executive in the targeted company, approving payment of the invoice.

Watch Out for Malicious Text Messages

Accounts payable staff are starting to realise that sophisticated cyber-criminals may seek to deceive them by impersonating their organisation’s senior executives, such as the CEO or CFO. This makes it harder for the criminals to use email as a vehicle to launch phishing attacks.

But, as always, cyber-criminals are adaptable. When one attack vector starts to become less effective, they pivot to a new attack vector.

According to reports, cyber-criminals are increasingly turning to messaging apps, such as WhatsApp, to target AP staff. In the latest trend, a scammer will impersonate the CEO of the AP staffer’s organisation. In the WhatsApp message, he says he is traveling in Asia and asks the AP staffer to organise a Zoom call. Once on the Zoom call, the scammer claims to have audio problems and requests to communicate via text.

Using the chat function, he asks the AP staffer to send company data to a link he provides. AP staff members may be asked to provide sensitive company information or even login credentials to various systems, such as bank accounts.

Before providing any sensitive information via messaging apps, such as WhatsApp, AP staff should always verify that they are actually communicating with the person they think they are communicating with.