Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
Cyber-criminals are always on the hunt for new ways to defraud organisations. Executive Email Compromise is an attack vector that uses the email accounts of senior management to deceive Accounts Payable staff into processing illegitimate funds transfers.
In this blog we explore Executive Email Compromise and what you can do to protect your organisation.
Executive Email Compromise, or EEC, sees cyber-criminals impersonate an organisation’s senior management. They do this in order to deceive staff into thinking they have received instructions from superiors, typically their CEO or CFO.
In most cases, EEC is a tactic that’s used to defraud an organisation, by tricking Accounts Payable (AP) staff into sending funds to a bank account controlled by the scammers.
EEC is an effective attack vector because cyber-criminals understand that most staff have a natural desire to please their bosses. Whenever staff receive instructions from senior management, they usually comply with those instructions as quickly as possible.
It is highly unlikely that an AP staff member would ignore an instruction from their CEO or CFO to process a payment – particularly if they are told the payment is urgent. The staff member would naturally be concerned that any delay in processing the payment could result in a range of difficulties for their organisation, in turn causing problems for the executive who issued the payment instruction.
Cyber-criminals routinely take advantage of the human desire to be efficient and helpful. Whilst dealing promptly with matters in the workplace is certainly an admirable attribute, it’s important that this does not come at the expense of payment security.
Typically, a cyber-criminal will gain malicious access to an executive’s email account. They may have hacked into the corporate network or engaged in phishing in order to compromise the executive’s password.
With access to their email account, the cyber-criminal uses it to send fake emails to AP staff with urgent payment instructions. Invariably, the funds are then sent to a bank account controlled by the attacker, who either transfers the money to offshore accounts, or converts it into cryptocurrency.
At this point, it is too late for the defrauded organisation to recover the funds.
EEC is notoriously difficult to prevent because it typically involves the exploitation of a legitimate email account.
By using an executive’s legitimate email account, the fake emails are able to bypass the usual tools that are in place to weed out malicious emails.
Even if AP staff closely scrutinise the email’s “From” and “Reply-to” fields, they are unlikely to identify the email as malicious. Furthermore, whilst AP staff may be trained to call a vendor each time they process an invoice, they are unlikely to have call-back controls in place every time they follow an instruction issued by their CEO or CFO.
In a sign of just how cunning cyber-criminals have become, they often send their fake payment instruction at a time when they know the executive will be uncontactable, such as when they are about to board an international flight. This makes the AP officer even more likely to carry out the payment instruction without verifying its authenticity.
Not all work-related communications occur via email.
Increasingly, staff use a range of channels to communicate and collaborate. Everything from video conferencing tools, such as Zoom, to team-collaboration applications, such as Slack and Discord, have become ubiquitous since hybrid work became commonplace during the pandemic.
All these channels can also be exploited by cyber-criminals who are impersonating your organisation’s senior management.
Once a cyber-criminal gains access to an executive’s computer systems, they can use these tools to send messages to AP staff with instructions to transfer funds to a bank account they control.
Whilst AP staff may be on the lookout for suspicious emails, they should also be trained to act with caution when using any type of communications channels. Staff may be particularly vulnerable when using such tools due to the fact that they often access them on mobile devices, when their guard is down.
Cyber-criminals have even been known to generate Deep Fake messages of executives as a way of deceiving AP staff. A Deep Fake is a fake video or audio message of a person that looks absolutely authentic. It uses Artificial Intelligence to impersonate a trusted individual. Deep Fakes can be almost impossible to identify.
It’s not easy to stop sophisticated cyber-criminals. They are continuously hunting for any new opportunity to deceive AP staff into processing illegitimate payments to bank accounts they control. Whilst invoice manipulation remains the most common tactic, it is by no means the only tactic.
Cyber-criminals are increasingly taking advantage of the desire by most AP staff to be efficient and helpful in the workplace. By impersonating executives and using their legitimate email accounts to issue fake payment instructions, cyber-criminals have identified a new way to carry out online fraud.
Expecting busy AP staff to identify every malicious attempt to deceive them is both unfair, and ultimately doomed to fail. Instead, you need a tool in place that automatically identifies whether outgoing payments are being sent to the intended recipient.
With Eftsure sitting on top of your accounting processes, payments that are not being sent to an intended recipient can be flagged in real-time, allowing your AP team to pause and investigate further.
Contact Eftsure for a demonstration of our platform and start protecting your organisation from Executive Email Compromise today.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.