3 myths that expose AP teams to cybercrime

1. We’re already vigilant, and we aren’t big enough to target anyway

Unfortunately, cybercriminals aren’t just looking for the biggest targets – they’re looking for opportunities, and that doesn’t have to involve targeting a multinational corporation with billions of dollars. In fact, small businesses tend to be more frequent victims of scams, potentially because they have fewer resources to defend themselves. The Australian Institute of Criminology (AIC) has estimated that small to medium business (SMB) owners, operators and managers are more than twice as likely to be victims of cyber scams than those at bigger companies. And, when they did fall victim, they tended to lose larger amounts of money than other victims.

Digitisation means scammers can target anyone from anywhere, and they’re constantly on the hunt for unsuspecting new targets. Additionally, technology can help scammers offset disadvantages like language barriers or time constraints. Malicious AI tools like WormGPT or FraudGPT are designed to aid illicit activity and may be trained on data that includes phishing or malware-related information.

2. Our best-practice accounting controls protect us

When talking to finance leaders, it’s common to hear confidence in existing controls’ ability to thwart cybercrime. But finance teams are up against scammers who continuously look for new vulnerabilities and may even have in-depth knowledge of targets’ financial processes.

The most common vulnerability? Old-fashioned human error. Social engineering attacks like business email compromise (BEC) involve hacking into the email account of a supplier, executive or other trusted contact, then using that account to deceive accounts payable (AP) staff into making fraudulent payments.

Even if your employees closely adhere to control procedures, they may not have the resources or awareness to spot these sorts of sophisticated attacks. This will become even riskier as AI continues to make it easier for cybercriminals to create synthetic media like deepfake videos or audio.

3. Cybercrime prevention isn’t Finance’s jurisdiction

Even in organisations with the resources for a dedicated cybersecurity team, CFOs and finance teams tend to be better placed to address cybercrimes like digital payment fraud.

Although IT and security teams are responsible for protecting systems and data, they can’t singlehandedly stop AP employees from, say, making a fraudulent payment after a scammer infiltrates a trusted supplier’s email account. By contrast, finance leaders have a clearer picture of their anti-fraud controls and any risky gaps.

So what can finance teams do to safeguard their organisations against cyber fraud? It starts with ensuring you’ve got the right people, processes and technology.

• Implement robust anti-fraud controls – and put them to the test. Ensure control systems are based on the principle of “least privilege,” meaning that people only have access to the data and applications they need to perform their jobs. Controls like verbal verifications can mitigate BEC risks, especially if employees know best practices such as using independently sourced phone numbers. Regularly pressure-test these controls – for example, send a fake phishing message to see if employees click the link.
• Re-evaluate technology solutions. Cybercriminals are leveraging technology. Are you? The right technology can automate and centralise key processes, ensuring control procedures are followed. It can also help employees make safer decisions, including real-time warnings before a payment is authorised.
• Educate staff and drive an anti-cybercrime culture. Ongoing training is key here. This of course includes security hygiene like password security, multi-factor authentication (MFA) and phishing awareness, along with awareness about control procedures and best-practice approaches to verification. More generally, leaders also need to cultivate a strong security culture where employees feel comfortable asking questions or putting their hands up if something doesn’t feel quite right.

Note: this is a modified version of an article originally published in the NZ Herald.