Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
According to the experts, the big question is not if, but when, your company will be hit by a cyber-attack.The number of attacks keep rising. Indeed, the Telstra Cyber Security Report 2017 found that 59% of the Australian organisations were detecting a business interrupting security breach on at least a monthly basis — double those in 2015 (24%). It can happen any kind of business.Consumer Affairs Victoria, for example, reveals that criminals have hacked into the email accounts of real estate agents. Once an agent emails a home buyer the trust account details into which they should transfer their deposit, the hackers send a second email advising those details were ‘incorrect’ and provide details of a false account, getting them to pay into the wrong account.Research also shows that attacks can go undetected for long periods of time.The Brisbane outlet of safety wear brand Totally Workwear, for example, recently had its accounting system compromised when thieves hacked in and changed the banking details of five of its suppliers. It only found out that it had been fleeced of $76,000, however, after a creditor complained about not being paid.In another instance, cybercriminals posed as the CEO and chief operating officer (COO) of a large business and then sent a spoofed email, purporting to be from the CEO (who was travelling at the time), requesting a large payment be made by the financial controller. A second email, purporting to be from the COO, was then sent to the financial controller. This email contained a false email trail approving the CEO’s request for payment. Not realising the request was a scam, the business made two payments to the cybercriminal’s bank overseas accounts, one for over US$200,000 and one for almost US$300,000.Because they control the company’s purse strings, finance and accounts payable departments are often considered an attractive target for these crooks.Don’t let your department be next! Here are five steps you can take to stay ahead of cyber scams:
#1: Understand The Risks
The tactics used by cybercriminals are constantly evolving and include the likes of social engineering, malicious software, phishing, ransomware, business email compromise and even recruiting insiders to help. Researching and understanding the many ways you could be attacked is your first line of defence. It’s also crucial to understand the risks specific to your own organisation and to identify its weak spots. This means testing your current processes and systems to identify vulnerabilities, perhaps with the help of more experienced external experts.
#2: Beef Up Your General Security
It’s been said that passwords are like underpants. They need to be changed often, shouldn’t be shared and shouldn’t be left lying around for others to see. Look at whether you can strengthen the company’s passwords — for example, by requiring them to have more characters and a combination of letters, numbers and symbols. Consider restricting user access to certain systems and applications and ensure those who leave the company no longer have any access.Review whether there are any vulnerabilities in how your company provides remote access. Cyber crooks, for example, are increasing using Microsoft’s Remote Desktop Protocol (RDP) to spread ransomware.Also check that you have the best cyber security and spyware software and firewall settings in place and that you are patching your systems and applying regular updates. And have the right technology to ensure your important data is regularly backed up so that you can recover what you’ve lost if you are attacked.
#3: Tighten your payments security
Once you understand the threats out there, take a hard look at your payments processes and identify potential weaknesses. Ways to plug these could include ensuring there is clear separation of duties between staff and adding more verification steps. Promote a culture where it’s safe for staff to question any requests that don’t look right. Also, encourage them not to rely on email and to actively verify money transfer requests and changes in vendor payment details.While checking with senior executives or verifying by phone are options, they are time consuming, inefficient and hold their own risks. Independent third party verification systems such as EFTsure’s “Know Your Payee” Solution automate payment checking and supplier verification, saving time on manual processes and reducing human error.
#4: Train your staff
Since employees are usually the target of cybercrime, especially those in finance and accounts payable, equip them with the skills and tools to spot threats and respond effectively.Introduce cyber safety awareness programs, workshops and simulations that teach staff how to recognise spam and phishing messages and make them aware of wide variety of threats out there. Also instruct them on how to create strong passwords and verify and report suspicious online activity.
#5: Make cyber security part of your DNA
Constantly reminding staff at all levels about the risks of cybercrime will, over time, help build a strong security-conscious culture for your entire business. Ensure the right tone is set from the top down and that management sets a good example.And remember this is just the start! Constantly review this threat and keep getting better at fighting it because, as the statics and headlines keep confirming, cybercriminals just keep getting better at what they do.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.