Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
For the past several years, we’ve been using the word ‘pandemic’ to describe the pervasive nature of and dramatic increase in cybercrime. Now, the impact of COVID-19 is being seized as an opportunity by cybercriminals, accelerating payments fraud significantly.
The veracity of the phrase ‘Cybercrime pandemic’ has been informed by both its scale and growth; it’s undeniably a multi-billion-dollar-a-year problem in Australia alone and part of a trillion-dollar global issue. And its exponential growth is staggering and dramatic. Businesses in Australia are being targeted and attacked daily.
While the techniques, tactics and methods of ‘modern’ cybercrime are as broad as they are sophisticated, the most prevalent and fastest growing types of scams are those that use Social Engineering. More psychology than technology, fraudsters manipulate people (commonly through phishing emails and sites) to obtain their email credentials. The fraudsters then infiltrate those accounts and impersonate the email account owners. By using those compromised accounts to issue fraudulent invoices and bank detail change requests to customers (in the case of Supplier email compromises) or in the case of executive scams, payment instructions to junior staff, fraudsters weaponise those accounts to defraud companies. The Business community is an ecosystem, and like a biological ecosystem, if one supplier’s email is infected, this quickly spreads the fraud attacks to all those connected to that supplier. Not to say that all who trade with the supplier will be susceptible, it will depend on their natural defences and counter measures taken, but those that are unaware they have been infiltrated, will unknowingly infect their trading partners. The fraudsters know this and are spraying the virus (not unlike an infected person sneezing or coughing on someone) over any business to whom they can send an email.
At all times, these social engineering scams take advantage of weaknesses in general human behaviour (imperfect checking and misplaced trust), gaps in the banking system (which fails to verify payee details and account numbers at point-of-payment), poor IT security hygiene (How obvious is your password?), the vulnerability of email systems and the ease of online identity theft (Privacy has diminished and social media platforms are easy to scrape for details). Moreover, they defeat often manual payment controls (people repetitively checking invoice details and in turn checking each other) and lapses in segregation of duties.
The dramatic shift by business to cloud based email providers (Microsoft Office365, Google G-Suite etc.) due to their ease of use and rich functionality has not been accompanied by a commensurate up-skilling in securing these platforms, especially in the SME world. The ease at which these can be set up and operated has led to them being set up and administered by business personnel without the training to secure them properly; e.g. only a very small percentage of businesses mandate Multi Factor Authentication for email accounts. And Most SMEs don’t even know that there is a security admin centre. (It requires an additional license for standard Office365 subscriptions.). Microsoft benchmarks an organisation’s security score (based on over 300 points for security configuration settings) against all users and users in the same industry. The global average according to MS on 6 April 2020 is 37/303, i.e. only 12% of organisations have on average implemented the recommendations. Even in the financial services industry where one would expect stricter security, the average score is only 67/303 or 22%. Bear in mind that a company with MFA on for all of them would get 30 points for that alone.
At the best of times, both statistics and news headlines show that relying on only people, policies and protocols to defend against the threat of an organised, educated, technologically advanced and motivated cybercriminal enterprise, is like taking a knife to a gunfight.
This is amplified now, when these criminal enterprises see COVID-19 as an opportunity rather than a threat.
Crime increases during times of economic uncertainty. Whether it’s fraudulent sales of urgently needed medical equipment or the dramatic increase in COVID-19 online scams (both acknowledged by the FBI), this is true of the current crises we are now navigating. That said, the scams that use COVID-19 as subject matter are one of the more superficial opportunistic attacks from fraudsters; the greater risk is the increased vulnerability of an organisation’s general financial control environment. And as we recently highlighted to The Sydney Morning Herald, The Age and the Brisbane Times, across eftsure’s community of hundreds of customers and 1.2m verified suppliers, we’ve seen a 15-fold increase of false invoicing and malicious emails in comparison to the same period last year.
Pre-COVID 19 and pre-mass move to work-from-home (WFH), financial controls and best practice payment controls were easy to list, harder to practice and difficult to maintain perfectly.
Now, with a remote finance team, all or part working from home, maintaining those controls becomes even harder. In fact, your organisation’s entire IT and financial control environment is likely to become more vulnerable for the following reasons:
1. A remote workforce and finance team makes segregation of duty, dual-authorisation and compliance checking much more difficult and prone to error and omission..
2. Vendor call-back controls are significantly more difficult to maintain. It is not just your team at home but the Vendor’s teams too, so finding an independent number for someone working from home is far more difficult leading to employees instead relying on emails for updated home and mobile numbers, dramatically increasing the risk.
3. It is much harder for employees to check things they are unsure of when at home than it is to ask colleagues they are sitting to in an office. This leads employees to take shortcuts, make more unilateral decisions and consequent mistakes and misjudgements. In addition, a distracted, anxious team is more susceptible to error.
4. A much heavier reliance will be placed on received email correspondence between stakeholders than would be the case in an office. This opens huge opportunities for fraudsters.
5. The rush to use communication software without full security analysis is exposing corporations to interlopers accessing their video conferencing meetings both internally and with clients and suppliers, dramatically strengthening the fraudsters’ arsenal of tools and knowledge about how to attack the company.
6. Mass remote work strains IT infrastructure and support capability while geography weakens IT security environments. Home internet is not as reliable or secure as corporate internet and is exposed to family and children downloading viruses and worms onto the home network. Corporate IT resources are normally very stretched – under the work from home explosion they do not have the resources to secure every employee’s home like they would the office. In a small company with just 10 staff, their workload is 10 times larger than a few weeks ago – not to mention corporations with thousands of staff.
7. Lack of equipment at home, e.g. printers, scanners etc. means that those organisations that had physical sign-offs of documents are typically doing this over insecure email without the proper security around this.
Furthermore, pervasive economic stress and focus on cash-management will lead to a higher volume and more urgent demand for faster payments in general. This increased urgency and volume of legitimate payment demands makes it easier for fraudsters to slip illegitimate ones in.
The question is what to do about it. How does one maintain controls (and control!) across a distributed workforce and a remote team?
In much the same way as transformative digital solutions have enabled communication (Zoom, MS Teams, Slack) and collaboration (Trello, Jira, Confluence) across remote teams, so too are there digital solutions to enhance payment controls for finance teams. Independent third-party tools such as eftsure are designed to support distributed employees and provide secure payment workflows and include secure business/supplier communication channels. eftsure can uniquely enhance and support best practice procure-to-pay processes for remote teams and ensure you maintain control in this new remote work mode:
• Segregation of Duty
eftsure is an independent third-party multi-user role based cloud solution against which you can check vendor details at point-of-vendor onboarding and at point-of-payment. This creates a source of verification independent of your internal team. We also support multiple levels of access and authorisation.
• Removes Reliance on Email for Critical Vendor Verification and Bank Account Changes
Email is the transmission vector for the fraudsters to distribute their fraud virus. Whilst people are working from home they are socially distanced from each other but email keeps their businesses linked and susceptible. No business can operate without email but no business should rely on email for bank account details. It is impossible to stop, filter or remove all phishing emails and all it takes is for one of your employees or, importantly, one of your suppliers’ employees to fall for one to cause you a potential fraud. eftsure enables businesses and their suppliers to interact and make these changes through secured encrypted channels that are verified by eftsure. It removes the reliance on email for payment data.
• Bank Detail Verification
eftsure relieves your team of the laborious and stressful task of manually verifying bank details: whether at initial vendor onboarding, change requests or at point-of-payment. Throughout the payment lifecycle we provide simple, powerful real-time alerts as to the validity of bank account details.
• Distributed Approval and Alerting
eftsure through its multi user segregated role functionality allows for distributed segregation of duties in all matters relating to onboarding and managing and approving supplier changes and payments. E.g. a new supplier can be invited by a staff member that has a role that only permits them to invite a supplier to onboard through the system, whilst another employee in a different location with an approver role can approve/reject etc. the onboarding (all after eftsure have first verified the details). The system can alert different people in the organisation or external to the organisation, such as their auditors, of anomalies through alerts. The dashboard can show a different user what payments against correct or incorrect accounts have been made.
• Ease of Use
Being a cloud based system means that there is no centralised IT setup or integration required. Users just require a browser and internet connection to use the service. There is no additional load on your IT staff.
• Continuous Compliance Monitoring
eftsure provides real time alerts on a vendor’s business or tax registration status throughout the vendor management and payment processes.
• Duplicate and Out of Range Payments
Working from home makes it harder to keep track of emails and statements and due to the stress of the situation and working on smaller laptop screens at home vs. bigger screens at work, it is much easier to make the same payment twice or type an extra zero into a payment. eftsure’s automated tracking of payment limits and frequency will alert the users of this system to such errors.
• Automated and Secure Vendor Management:
We automate vendor onboarding and maintenance. However, unlike other providers, we also verify vendor details. This drives security, efficiency and traceability.
• Mitigates the Risks of Home PC’s and Internet Vulnerability
eftsure ensures all critical data is professionally secured independently from the user so even if an AP user is (or multiple users are) hacked or fall for a changed bank details scam, when the authoriser logs into their bank to authorise the payment, they will be warned by eftsure prior to payment if the payment details have been altered and subverted through any compromise of the AP staff’s home environment.
• Efficiency Removes the Delays and Increases Productivity
Staff working from home have many challenges, frustrations and stresses which make them less productive. Using the eftsure automated secure tool, increases productivity by removing their decision making stress (e.g. whether a request for changed details is a fraud or real), removes the work in verifying it and automates and logs the process. The process of onboarding and/or verifying changed supplier details is significantly faster using eftsure than trying to do it manually resulting in less delays in processing supplier payments and other supplier related administration tasks. This frees up time for finance staff to focus on other key aspects of their work.
• Master Data Cleanse and Maintenance:
By rapidly analysing your master data against our verified vendor database, eftsure will ensure your master data (Vendor Master File) can be cleaned and maintained.
I’ll postulate that you’ve resolved your business continuity plan and are actioning it. And that you are getting increasingly comfortable with the use of tools like video conferencing to maximise productivity and collaboration during these challenging times. I’d encourage you to extend that thinking by looking to transformative digital solutions to protect and in fact, enhance your financial controls. In this way you can use the innovation and adjustments forced by one pandemic to protect you against another.
Stay safe, sane and healthy.
Mark Chazan
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.