Cyber Brief for CFOs: November / December 2024
All the news, tactics and scams for finance leaders to know for November / December 2024.
Ask most people if they think their online payments are secure and the response will be “Yes.”
Most people assume the banks have payments security under control. However, what the banks don’t publicise is that they lack the capacity to verify the Account Name with either the BSB or Account Number in online payments. This systemic verification gap in banking processes leaves the way open for fraudsters to engage in a range of malicious activities.
In this blog we explore the risks posed by banking verification gaps and how eftsure’s unique solution is helping Australian organisations secure $5 billion worth of EFT payments monthly.
Some things are within our power, while others are not.
Epictetus
Hard as it may be, each of us needs to accept that there are some things in life over which we have no control. Despite our best efforts, we find ourselves limited in our ability to influence external circumstances.
All we can control are our responses to those external circumstances.
It is this core principle that has been the driving force behind eftsure since our inception. It continues to motivate us to this very day. Once it became clear that potentially risky verification gaps existed within our banking processes, and that our banks were unable to remediate those risks, the team behind eftsure understood the necessity of taking matters into our own hands.
The result: eftsure’s unique fraudtech solution that aggregates the collective knowledge of the entire community to uplift the ability of each of us to mitigate EFT payments risks.
B2B digital payments are now ubiquitous in Australia. Invoices are routinely paid using online banking portals. On the whole these systems are both efficient and convenient.
We are very familiar with the process: Simply enter the supplier’s Bank Account Name, BSB and Bank Account Number, along with the amount you wish to transfer to them. Typically they receive the funds the next business day.
Online banking has done away with the tedious task of writing out cheques. It frees Accounts Payable teams to focus on other more important priorities.
It all seems so positive – what could be the problem?
Unfortunately there is a glaring vulnerability in the process, one that most people remain utterly oblivious to: Banks do not match the Account Name with either the BSB or Account Number.
Despite calls from the Australian Competition and Consumer Commission (ACCC) for the banks to do more to plug this verification gap, little is able to be done to stem the rise in fraud.
“We do think this is an important issue confirming who the payee is,” said ACCC chair, Rod Sims. “Some banks say there are other things coming along which will fix the problem. I’d be asking the banks, if you have an alternative, how far away is it?”
Thus far there are no indications that Australian banks have any effective solutions on the way that will accurately verify payments and stop fraud. Despite other countries, notably the UK, introducing Confirmation of Payee systems, fraud and scams have not abated.
Dion Dosualdo, national secretary of the Australian Institute of Conveyancers went even further, describing the efforts of the Australian banks as “complicit” due to their refusal to implement fraud mitigation systems.
“The fact there is no dual verification there means the banks can wash their hands of the situation,” Mr Dosualdo said. “This is what the scammers are cashing in on.”
Most organisations maintain a list of their supplier data either in a Vendor Master File or ERP system.
Ideally, when a new supplier is onboarded, all their data, including banking details, are verified before being saved in the Vendor Master File or ERP. Verification can occur in a number of ways. Of particular importance are call-back controls, in which a member of your Accounts Payable team calls the supplier to verify their banking details over the telephone.
However, this process may present a number of problems. For example, a protracted period may lapse between the time a supplier is onboard and the time a payment is issued to them. During this period, malicious insiders or cyber-attackers may gain access to the database and manipulate the banking information.
Business Email Compromise attacks are a further problem. Fraudsters may compromise the email accounts of members of the organisation’s senior management, such as the CEO or CFO. They use the compromised email account to send fraudulent requests to process payments to their Accounts Payable team. Vendor Email Compromise attacks are similar but occur when a fraudster compromises a supplier’s email account. In these circumstances, the fraudsters typically request that the supplier’s banking information be updated in the Vendor Master File / ERP.
There are also increasing reports of hackers manipulating banking information contained within emailed invoices.
In all these cases, by changing the BSB and Account Number, fraudsters can ensure funds end up being sent to a bank account they control, rather than the bank account of the legitimate supplier.
When a supplier’s banking information is verified at the time they are onboarded, rather than at the time a payment is being sent to them, a window of opportunity exists for malicious actors to manipulate the banking data and steal the funds.
It is not realistic to expect busy Accounts Payable teams to conduct additional manual verifications of supplier banking data prior to processing every individual payment.
Whilst many Accounts Payable teams do conduct individual spot checks of payments before they are processed, simply checking the Account Name provides no guarantee that the BSB and Account Number are also correct.
Many people still believe that if the Account Name they are using does not match with the BSB and Account Number, the bank will reject the payment. This is not the case. The banks direct the payment to the nominated BSB and Account Number, irrespective of what information is listed in the Account Name field.
You cannot rely on the banks to verify payment details.
Furthermore, if you do process a payment to an incorrect bank account, there is no guarantee that the banks will be able to retrieve the funds on your behalf. Fraudsters understand that time is of the essence and move rapidly to withdraw ill begotten funds – by which time it is almost impossible to track down the stolen money.
This may not seem like a big problem for small organisations that make a limited number of payments per month. However, the risk inflates progressively as organisations grow, particularly when multiple people are responsible for processing invoices. All organisations are reliant on potentially vulnerable digital communications. Undertaking manual verifications every time an invoice requires processing is both time consuming and vulnerable to human error. In a world of digital payments, manual controls simply aren’t up to the task.
In 2020 alone, Australian organisations lost in excess of $128 million to such payment redirection scams according to Scamwatch.
The banks are saddled with legacy systems that were designed to process cheques, not digital transfers. They simply do not have the capacity to match Account Names with BSBs or Account Numbers, particularly if the funds are being sent to a different beneficiary bank.
Given these limitations, which are totally beyond our control, there is only one way to ensure that we protect ourselves from this pernicious risk. Through cooperation and information sharing it is possible for each of us to gain assurance that we are sending payments to the correct beneficiary.
eftsure makes this possible thanks to our unique approach: Multi-Factor Verification.
The principle behind Multi-Factor Verification is that it is critical to know exactly who you are transacting with in a digital space. Given that identities are easily obscured in the digital world, it is essential to verify the identity of a counterparty using multiple factors. Identities can be verified by aggregating information from millions of separate sources.
eftsure achieves this through our database, which aggregates information from over 2 million Australian organisations. When supplier information in your records aligns with the information in the eftsure database, you achieve a high degree of certainty that the information is accurate and that the supplier you are transacting with is legitimate. This can all be done in real-time immediately prior to processing an EFT payment.
eftsure allows you to pay suppliers with confidence that the data in your records has not been manipulated by malicious actors and that you are not being defrauded.
Contact us today for a demonstration of the capabilities of the eftsure solution and how it can secure your organisation from the growing threat of payment fraud.
All the news, tactics and scams for finance leaders to know for November / December 2024.
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
Learn how finance leaders can protect their organisations from AI-driven cyber threats like deepfake scams and system vulnerabilities with proactive cybersecurity strategies.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.