Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
Cyber-scams are a crime. Yet unlike other crimes, all too often we blame and shame the victims of online scams by claiming they were too gullible or foolish.
This is the wrong approach.
It is time to understand that scammers are increasingly sophisticated. Identifying a scam is challenging for anyone, even trained professionals.
This Scams Awareness Week, the time has come to focus on opening up and speaking about scams. Only through open dialogue about the challenge, can we improve awareness that helps everyone stay secure.
Phishing, Social Engineering, Business Email Compromise attacks.
The pandemic has been a boon for cyber-criminals. With millions of employees working-from-home, scammers are making the most of lax security and payments controls to target Australian organisations at rates never before seen.
Yet, unlike other offences, when it comes to cyber-crime, we continue to blame and shame the victims.
Victim blaming occurs when the victim of a crime is held entirely or partially responsible for the harm they experienced. Organisations that are targets of cyber-crime not only face the very real potential of legal penalties and fines for data breaches, they can also suffer costly long-term reputational damage as customers, shareholders and others perceive the organisation as a fraud risk.
The time has come to stop blaming and shaming victims. Any organisation in Australia can be targeted by scammers who are resorting to increasingly sophisticated tactics. Only when we stop judging victims and begin openly sharing information about scams, can we collectively increase our resilience to these crimes.
This year’s Scams Awareness Week runs from November 8 – 12. An initiative of the Australian Competition and Consumer Commission (ACCC) which runs Scamwatch, the theme this year is “Let’s Talk Scams.”
The goal is to encourage people to talk with each other about scams. With the costs of invoice redirection scams exceeding $128 million in 2020, there’s never been a more important time than now for conversations around scams.
Irrespective of whether your organisation has been victimised, every organisation can at some point be a target. It’s critical we all work together and share information in order to remain one-step ahead of the scammers.
That is the core principle behind eftsure. By aggregating data from over 2 million Australian organisations, we are sharing critical information as widely as possible.
We call our approach: Multi-Factor Verification.
By verifying banking information from multiple sources, it is possible to have confidence that the banking details you are using when processing EFT payments to suppliers are legitimate. With eftsure sitting on top of your accounting processes, you gain assurance that the payment details have not been manipulated by scammers carrying out invoice redirection scams.
That is why eftsure is a proud supporter of the Scams Awareness Week.
In a landmark report to the Criminology Research Advisory Council titled “Improving responses to online fraud victims: An examination of reporting and support,” many of the emotional and psychological impacts of online fraud were explored.
Victims reported feeling intense shame and embarrassment. Many blamed themselves, believing they had been gullible or foolish. Perhaps most concerning is that the strong stigma associated with online fraud resulted in many victims being unwilling to report these crimes to police or others.
If such crimes go unreported to organisations such as the police or Scamwatch, identifying patterns of criminal activity becomes increasingly difficult. It becomes harder to identify new scam tactics, raise broad awareness and warn others what dangers to be looking out for.
In the past, victims of online fraud have reported that others have not taken these crimes as seriously as they should have. Victims often found themselves falling through the cracks, being referred from organisation to organisation.
In particular, this has been the experience of many victims of invoice redirection scams. Victims report that the banks have been unable to offer much assistance as they do not have the ability to verify that an Account Name matches with either the BSB or Account Number when an EFT payment is processed. The ACCC has been on the front font urging the banks to do more to prevent these types of scams.
Thankfully, there is now help for victims. IDCare is a unique organisation that is taking these issues seriously. By offering extensive advice and incident response services, IDCare is at the forefront of helping scam victims.
There are many scams being perpetrated on a daily basis against Australian organisations. What they all have in common is the desire by criminals for financial gain. These criminals are constantly adapting their tactics to take advantage of any perceived weakness in internal payments controls.
That is why it is critical that every organisation embed security throughout the Procure-to-Pay cycle.
7 of the most common scams we are currently witnessing include:
Phishing is the attempt by cyber-criminals to either infect your IT systems with malicious software, or obtain confidential information from your organisation.
In a typical phishing exercise, scammers will spoof a legitimate organisation to send you fake emails.
These emails often contain dangerous links or attachments. When clicked or opened, they install malicious software, or malware, on your computer systems. Malware may install Remote Access Trojans or backdoors that grant the cyber-criminals unfettered access to all your systems and corporate data. Malware can also be wormable, spreading to other computers and facilitating data exfiltration.
Other phishing exercises may see criminals email you a link to a fake website where you need to enter confidential login and password credentials, often to online banking portals.
Social Engineering is the attempt by cyber-criminals to deceive people in your organisation into revealing confidential information that paves the way for them to initiate a scam against your organisation.
In many cases a Social Engineering attempt will see the scammers call your Accounts Payable team pretending to be a representative of one of your suppliers. They may attempt to have the supplier’s banking details updated in your ERP system. The next time you pay the supplier, the funds will be sent to a bank account controlled by the scammer.
The most common type of Business Email Compromise (BEC) attack we see involves scammers impersonating senior executives in victim organisations, such as the CEO or CFO.
BEC usually begins with the scammers gaining access to the executive’s email account. They then send legitimate-looking emails to Accounts Payable staff instructing them to make an urgent EFT payment.
Similar to a BEC attack, however Vendor Email Compromise (VEC) sees scammers targeting an organisation’s suppliers.
Once a supplier’s email systems are compromised, the scammers proceed to email all the supplier’s commercial partners with updated bank account details. A VEC attack is now preferred by many scammers as one breach paves the way to target many other organisations.
New advances in Artificial Intelligence (AI) technologies are enabling scammers to create highly realistic audio and video impersonations that are able to easily deceive most people.
By feeding a short audio or video sample of an organisation’s CEO or CFO into the latest software programs, it is possible to create a fake recording of that executive giving payment instructions to Accounts Payable staff. When unsuspecting staff hear or see a message from their CEO/CFO instructing them to process an EFT payment, there is no indication that the message is actually fake.
There is much coverage of individual identity theft. Scammers obtain essential information about an individual before applying for loans or credit cards in that individual’s name.
Similar tactics can be employed against an organisation.
Business Identity Theft may result in scammers stealing sensitive corporate data as a first step in committing various crimes. These may include tax fraud, applying for business loans or credit cards in the business name, holding domain names or trademarks for ransom or manipulating business registration details.
In these scams, someone claiming to be from an organisation’s IT department, or a representative of a third-party IT/Telco company, calls the Accounts Payable team, claiming to have identified a problem. The scammer requests remote access over the device in order to repair the fake problem.
Once the unsuspecting victim is duped into providing access to their device, the scammer will gain access to a range of applications and confidential information that can be used to defraud the victim organisation.
Scams are increasingly sophisticated. Blaming and shaming the victims of scams is definitely the wrong approach. It is not fair to expect Accounts Payable staff to be experts in every type of scam, especially with scammers constantly adapting their tactics to take advantage of new perceived vulnerabilities.
A much better approach is for organisations to share information with each other. This is the eftsure approach.
We aggregate banking information from over 2 million Australian organisations into a comprehensive database. This platforms sits on top of your accounting processes, enabling you to check in real-time whether the supplier banking information you are using to pay an invoice was also used by other organisations when paying the same supplier.
By sharing information, every organisation benefits through an enhanced ability to thwart scammers, irrespective of any new tactics they adopt.
Contact eftsure today for a full demonstration of how we can also help your organisation avoid increasingly sophisticated scams.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.