Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
The Australian Cyber Security Centre (ACSC) is warning of a growing trend affecting construction companies and their customers. In the past six months there has been an increase in cybercriminals targeting building and construction companies to conduct email scams within Australia.
Whilst the numerous COVID-19 lockdowns over the past year saw many industries suffer, Australia’s construction sector weathered the storms better than most and was successfully able to maintain operations. And whilst this is undoubtedly good news, it also placed the construction sector firmly in the sights of scammers on the hunt for opportunities.
All Australian construction companies need to be aware of the risks and should be taking precautionary measures to avoid becoming an email scam victim.
Among the most common threats Australian construction companies face are Business Email Compromise (BEC) scams. According to the ACSC, there were 4,255 reported instances of BEC scams in FY 2019-2020, with losses exceeding $142 million. That figure is steadily rising year-on-year.
Typically, in BEC scams, cyber criminals hack into your suppliers’ email systems. When a supplier sends you an invoice, the criminals manipulate the banking details in the email. Without knowing it, your accounts payable team processes an EFT payment to the scammer’s bank account.
Scammers may also compromise the email accounts of an organisation’s CEO or CFO. Fake emails are then sent to the accounts team, instructing them to wire funds to the scammer’s bank account.
The important point to remember is that once your accounts team processes an EFT payment, there’s no retrieving the funds.
With construction and building companies constantly procuring supplies and paying invoices, the opportunities for scammers are endless.
However, following some basic security measures will help mitigate the risk significantly.
All accounting teams in construction companies should be extra vigilant when communicating by email, particularly when discussing bank account details or invoicing.
The ACSC also advises to follow these steps:
Verify payment-related requests: When receiving a request to make a large transfer or to change bank account details, always verify that the request is legitimate before actioning it. Independently source the supplier’s phone number and call the sender’s established phone number before transferring any funds.
Secure your email account: It is recommended that construction companies and related businesses use strong passphrases and enable multi-factor authentication on all email accounts.
Training and awareness: Ensure all accounting staff are trained to recognise suspicious emails, including fraudulent bank account changes or requests to check or confirm login details. The latter may be a phishing attack which could compromise account security.
eftsure has pioneered a unique fraudtech solution to address the challenge of EFT payment security. By aggregating banking and other corporate data from over 2 million Australian organisations, we have built the nation’s largest independently verified database. Each time your accounts team processes an EFT payment, the banking details are cross matched against this database.
Sitting over your banking platform, eftsure gives your accounts team real-time intelligence via ‘green-thumb’ or ‘red-thumb’ signals. These indicate whether the banking details you are using to process an EFT payment match the details used by other companies to pay the same supplier.
eftsure recently helped one of Australia’s leading construction and engineering companies avoid a $1 million fraud as a result of a supplier’s email account being compromised.
With eftsure integrated into their systems, the construction and engineering company was alerted to the fact that the IP address being used to populate supplier banking details didn’t match the IP address of the region where the supplier was actually located.
This critical red-flag ensured that the payment was put on hold pending further investigations, which revealed the fraudulent activity.
Contact eftsure today for a demonstration of how we can also help your construction and building company avoid costly email scams.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.