Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
So, you have Multi-Factor Authentication (MFA) set up on all your applications.
Well done!
You have certainly taken a step in the right direction.
But don’t make the mistake of resting on your laurels. Scammers intent on launching Business Email Compromise (BEC) attacks are finding ways to circumvent MFA. This Scams Awareness Week, it’s important you have a realistic understanding of the benefits, as well as the limitations of MFA.
We recently took a deep dive into the methods being used by scammers to gain illegitimate access to email accounts through webmail applications.
However, there are numerous other ways scammers are circumventing MFA.
Here are 4 ways Multi-Factor Authentication may still be leaving you exposed to dangerous scams:
Most of us would now be familiar with one of the most common MFA controls: the one-time-passcode sent to your mobile device.
It works quite simply: Once you enter your username and password to login to an application, you get sent a code via SMS. Only when you enter the code into the web application are you authenticated and able to complete the login.
So, how are scammers circumventing this widely used security measure?
It starts with the scammers contacting your telco provider. They attempt to deceive representatives at the telco into believing they are the legitimate owner of your mobile number. Of course, the scammer will need to have acquired enough information about you to deceive the telco representative. This is usually achieved by a combination of social engineering and open-source intelligence.
If the scammer succeeds in deceiving the telco representative, they can have your mobile number assigned to their SIM card.
This opens the way for scammers to gain access to a wide range of applications, including email accounts. They then have the ability to spoof representatives of your organisation or supplier organisations, in order to launch BEC attacks.
SIM swapping requires quite a bit of effort on the part of scammers. However, if you misplace your mobile device, or it is stolen, information may be exposed to scammers that enables them to launch BEC attacks.
Once a scammer has access to your mobile device, they will be able to use MFA to authenticate on any number of applications, including email accounts.
The physical security of devices is essential to preventing unauthorised access to your organisation’s data. Never leave devices unattended, even momentarily. If one of your devices is lost of stolen, make sure your organisation’s IT department is made aware, so they can remotely wipe any sensitive data.
It is easy to assume that if you login to an application using MFA, that any data transfers to or from that application are fully secure.
That is not necessarily the case, particularly if you are using public Wi-Fi networks.
In an era when so many staff are working remotely, many may be tempted to work in coffee shops or other public settings, where Wi-Fi is available. However, in many cases, these public Wi-Fi networks don’t offer the levels of security offered by either enterprise or even residential Wi-Fi networks.
A Man-In-The-Middle attack can occur when a scammer is able to intercept the data you are transferring across a public Wi-Fi network. This type of attack may expose a range of sensitive information, including passwords to applications and email accounts.
Naturally, once a scammer has access to these details, they can conduct all sorts of damage, including BEC attacks.
It is therefore always preferable to use known, trusted workplace or residential Wi-Fi networks. However, if you need to use a public Wi-Fi network, always do so with a Virtual Private Network, or VPN. This ensures data is encrypted, making it much harder for a scammer to intercept it.
Phishing remains one of the most common and effective methods for scammers to obtain email login credentials, allowing them to access mailboxes and carry out BEC attacks.
Most phishing attempts involve sending fake emails or SMS messages containing malicious links. Often, these links will redirect the recipient to a fake website that is carefully designed to look identical to a legitimate website.
In many cases, even the URL of the fake website will closely resemble the legitimate website. Just one of two characters may be altered, such as replacing the letter “O” with a zero.
Many times, the fake websites are designed to imitate webmail applications. The victim will be prompted to login using their username and password. In cases where MFA is configured, the scammer may already have compromised the victim’s mobile phone number through SIM swapping, giving them unfettered access to email accounts.
At this point, there are no impediments to launching a BEC attack.
As you can see, there are many tactics scammers are using to bypass Multi-Factor Authentication. Whilst MFA certainly increases your levels of security, it should not be seen as foolproof. Smart scammers are finding new ways to circumvent MFA on a daily basis, thereby paving the way for them to engage in Business Email Compromise attacks.
With eftsure sitting on top of your accounting processes, you will be able to ensure that outgoing payments are being sent to the intended recipient. Even if a cyber-criminal has successfully circumvented your MFA controls, their capacity to steal your funds will be constrained.
eftsure verifies all outgoing EFT payments against our database comprising over 2 million Australian organisations. Verification takes place in real-time immediately prior to a payment being processed by your Accounts Payable team.
With eftsure in place, scammers will be blocked from profiting at your expense, irrespective of whether or not they managed to evade your MFA security controls.
Contact us today for a no-obligation demonstration and learn how eftsure can secure your organisation from the threat of scammers and fraud.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.