Accounts Payable Security Report: September 2022

CFO Email Spoofed

Phishing awareness training often teaches us to check the “From” field whenever we receive an email, particularly if the email contains instructions to process payments.

However, recent Business Email Compromise (BEC) attacks demonstrate that you cannot always trust what appears in the “From” field.

Sophisticated cyber-criminals are now sending spoofed emails that appear to be sent from a legitimate email address, such as an organisation’s CFO. Simply glancing at the “From” field is no guarantee that the email is legitimate.

In the case above, a cyber-criminal is impersonating an organisation’s CFO and is requesting that a payment be made to an insurance provider called West Bend Mutual. However, upon closer inspection it is clear that the email addresses purporting to belong to the CFO and the insurance provider are spoofed.

Only by looking at the “Reply-to” field does it become clear that these emails were not actually sent by the CFO or the insurance provider.

CFOs and AP managers should ensure their teams understand the importance of always checking the “Reply-to” field whenever they receive emails with payment instructions. It is important that the “Reply-to” email address matches the “From” email address.

In the event of any uncertainty, AP staff should always call the sender to verify whether the payment request is legitimate.

Bank Scams at “Crisis Level”

According to the CEO of Consumer Action, a consumer protection firm, bank scams in Australia are now at a “crisis level.”

Gerard Brody made this assessment in response to a recent BEC attack which saw one Victorian grandfather scammed to the tune of $26,345. The victim, 76-year old Bill Hall, had contracted builders to construct a small structure on his property for his family to live in. Upon receiving the invoice for the building works, he promptly paid the funds.

However, three weeks later he received a call from his financial institution advising him that the money had actually been sent to a suspicious bank account.

It soon became apparent that cyber-criminals had intercepted the invoice from the builders, and changed the payment details so Mr Hall inadvertently paid the money into a bank account controlled by the scammers. It is believed the scammers’ bank account had been established using stolen identity documents.

Of the $26,345 stolen, Mr Hall has only managed to recover $6,000.

According to Mr Brody: “It is an extraordinary fact that anyone in Australia with a phone or online presence is now being targeted by highly sophisticated scam-crooks out to thieve and steal.”

This story is an important reminder that you should always conduct call-backs before processing any payments, to ensure you are sending funds to the intended recipient.

Read our guide to conducting call-backs correctly.

Embed Security Throughout the Procure-to-Pay Process

Scammers are embracing increasingly cunning tactics with every passing day. The protection of your organisation demands that you embed secure practices throughout the Procure-to-Pay process.

In one recent case, a company that sells computer equipment narrowly avoided a BEC attack because at the last moment they realised they were sent a fake Purchase Order (PO).

A Singapore-based company that sells computer equipment recently received an order via email for 50 Dell laptops, purportedly from a Singaporean university. The company had an existing relationship with the university, having supplied them with computer equipment in the past. The value of the order exceeded AUD$100,000.

For the company, such a large order was a stroke of good luck following a slow period brought on by the pandemic. The enthusiasm to rapidly fulfil the order contributed to the company not properly scrutinising the details on the order form.

“During Covid-19, we were not doing so well. When we received a big order, we wanted to cash in,” said the company’s co-founder.

The scammers requested that the laptops be delivered to an air-freight company, who would then send them to the United Kingdom. A representative of the air-freight company decided to investigate the order, as it seemed unusual that a Singaporean university would need to send 50 laptops to the UK. At this point it was discovered that the PO was fake. The university had placed no such order for 50 laptops.

The scammers had engaged in corporate identity theft. They had taken advantage of the university’s reputation to place the order, knowing that the company selling the laptops would be unlikely to scrutinise the order from a trusted organisation prior to processing it.

Had the scam succeeded, the scammers would have received the laptops, whilst the company that supplied them would never have received any payment.

This case is an important reminder that BEC attacks take a variety forms. The only way to ensure your organisation is fully protected is to embed secure practices throughout the Procure-to-Pay process.

Read our guide to securing your Procure-to-Pay processes and strengthen your resilience against sophisticated scammers.