Accounts Payable Security Report: September 2023

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) news. We bring you all the essential stories in our Security Report so your team can stay secure.

AP inboxes increasingly under threat

From April til September this year, Eftsure has detected a much higher average of fraud attempts per week – in fact, it’s the largest volume of fraud attempts we’ve seen to date. The ‘spike’ we saw during EOFY is looking less like a spike and more like a steady, long-term climb.

Our growing database of verified suppliers (brag) might be one reason for the raw number increase in detected fraud attempts. However, the proportionate rate of attempted fraud has still been far higher this year compared to the same period last year. 

But there’s another factor at play. We’ve also seen rapid increases in fraud attempts that involve compromised email accounts belonging to financial controls and accounts payable officers. In June, we flagged the ‘double’ business email compromise (BEC) tactic in which scammers infiltrate both the target organisation’s systems and their supplier’s systems, enabling them to orchestrate more convincing, difficult-to-detect scams.

Even when the double BEC tactic isn’t used, fraudsters seem to be expanding their infiltration targets – after all, the more they can access your email, the more they know about your organisation and financial processes. And the more they know, the easier it will be to circumvent your controls and defraud your business.

FraudGPT and the growing market for malicious AI

Cybersecurity researchers have uncovered yet another malicious AI tool, similar to WormGPT (i.e. ChatGPT’s “evil twin”). Emerging around the same time as WormGPT in July 2023, the tool is designed for spear phishing, password cracking and more. It’s available on various dark web marketplaces and Telegram channels.

Researchers found evidence that it’s helping threat actors craft convincing malicious emails, a significant concern due to the prevalence of business email compromise (BEC) attacks. The tool also helps identify the most vulnerable targets, potentially sharpening scammers’ efforts and increasing fraud risks.

As we discussed in our deep dive on WormGPT, these tools are just a few examples of a booming black market in AI – specifically, generative AI models that are tailored for illicit activity.

Keep in mind that this is only text generation, too. Evolving alongside ChatGPT’s text-generation capabilities were other moderated tools like Midjourney. Are there already malicious AI tools that can generate convincing images or audio? And what will that mean for finance teams who depend on evidence to avoid falling into scammers’ traps? These are the sorts of questions we explored in a webinar earlier this year, and experts are warning that the worst is yet to come in AI-enabled scams.

ACCC to regulate new digital ID system

On 19 September, federal finance minister Katy Gallagher introduced national digital identity legislation to parliament. The aim of the legislation is to establish a more cohesive, centrally managed Australian digital ID system, which the Australian Competition and Consumer Commission (ACCC) is likely to regulate. 

The staged rollout is meant to eventually see the private sector recognising myGovID during actions like opening a bank account. An even later phase will involve the government recognising private sector digital IDs.

Depending on how the project unfurls, this could be a helpful step for filtering out scam attempts. Moreover, the proposed Digital ID rules would require reporting cybersecurity incidents and fraudulent access of credentials – in other words, businesses stand to potentially gain some new protections as well as new reporting obligations.

Data breach hits over 190,000 Pizza Hut customers

Another day, another data breach. Disclosed not long after the Dymocks data breach, Pizza Hut’s chief executive officer has apologised to customers after confirming that hackers had stolen data relating to customer names, order details, delivery addresses, emails, phone numbers and “unusable masked credit card data.” 

While the actual number of affected customers is much smaller than the hacking group’s touted one million, nearly 200,000 customers are still impacted. And while dark web denizens revealing your preference for Margherita versus Meat Lover might not sound scary, it’s important to remember that each bit of stolen data can help fraudsters cobble together more sophisticated scams. 

Government scraps business registers program

After investing a sinus-clearing $530 million, the government will abandon the modernising business registers (MBR) program. Originally budgeted at $480 million, the MBR aimed to consolidate 30 Australian Securities and Investments Commission (ASIC) registers – encompassing the records of 2.6 million registered companies – with the Australian Business Register, which tracks 7.9 million active ABNs. 

However, a recent report estimated that the project would culminate in a $2.8 billion total spend and run five years late, prompting the decision to scrap the project. Assistant Treasurer Stephen Jones said registry operations will continue under ASIC on a business-as-usual basis, and that the DirectorID program will remain unaffected.

The DirectorID program is designed to crack down on illegal phoenixing activity, a tactic that cyber-criminals sometimes use to quickly move stolen funds into irretrievable accounts and jurisdictions. Time will tell if future efforts yield stronger barriers against cyber-criminals and fraudsters.