Scammers use DocuSign API to send fraudulent invoices
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
A hospital in Sydney, NSW has allegedly fallen victim to a business email compromise (BEC) fraud, reportedly losing $2 million to the alleged fraud in September 2024.
The home of a 49-year-old man in Yagoona, in Western Sydney, was raided by police in connection with multiple instances of BEC fraud, which targeted the unnamed hospital in Burwood. The man was arrested and charged with recklessly dealing with proceeds of crime more than $5000, and refused bail.
This incident is the latest in a long line of BEC fraud, which the Australian Competition and Consumer Commission (ACCC) says is costing Australian businesses ‘significantly more money’ in 2023 than in the two previous years.
BEC scams are a form of targeted phishing, or spear phishing, scams. Scammers use emails to pretend to be representatives of a business, use compromised email accounts of employees, or alter payment details on invoices.
This is known as invoice fraud, or payment redirection. If the bank details aren’t verified by the business paying the invoice, the money may be transferred into the scammer’s bank account, and quickly moved offshore, making recovery extremely challenging.
The ACCC Deputy Chair, Catriona Lowe, said scammers were ‘becoming more targeted’ in how they approached Australians with fake invoices.
“This scam is hard to detect because the scammer will either hack into the email system of the business or impersonate the business’ email address by changing as little as one letter,” she said.
There are a number of ways you can help reduce the risk of you or your business falling victim to a BEC scam. These include:
MFA requires people to authenticate themselves before accessing your business email and other systems. By enabling MFA, you can reduce the risk of unauthorised access, making it more challenging for scammers to get into your systems and then send emails purportedly from your organisation.
Sometimes, BEC scams are carried out with domain names that are incredibly similar to your own. For example, if your business is called Bob’s Computer Repairs and has a URL of bobscomputerrepairs.com.au, a scammer might register bobscomputerrepair.com.au and send fake invoices to your clients from that domain. Other alterations to consider include adding a word (e.g. online), a hyphen (bobs-computer-repairs) or a small typo (bobscomputerepairs). By registering similar domains, you can minimise the risk or a scammer doing so.
Email authentication protocols basically help prevent someone from ‘spoofing’ your email address. Speak to your email provider about adding Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) records to your domain name. If your DNS hosting is with a separate provider, you will need to contact them also.
As well as minimising the risk of your emails being compromised, it’s also important to have policies and procedures in place to prevent your business paying a fake invoice. After all, if you’ve paid a fake invoice, where does the liability lie? Ensure protocols are in place to check bank account details before making a first payment to a new account. Solutions such as Eftsure can help here.
The majority of scams rely on human error to succeed, which is why continual education and training is important so your people are on the lookout for the right signs. From BECs to deepfakes, scammers are utilising an array of techniques and tactics to steal from individuals and businesses, and it’s essential everyone in your organisation is aware of the risks they face online.
It can be incredibly difficult to recover money lost through BEC scams, however, it’s vitally important to report any cyber crime to ReportCyber as soon as possible.
Last month, as part of Cyber Security Awareness Month, the Australian Federal Police (AFP) shared how the AFP-led Joint Policing Cybercrime Coordination Centre was able to recover $777,000 after a South Australian woman unwittingly transferred $813,000 to a fraudulent bank account.
The woman believed she was paying a conveyancer’s account as part of the purchase of a new home, however, fell victim to a BEC scam.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Over $2 million lost to tax scams in Australia since June 2024. Discover how finance leaders can protect their organisations this tax season.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.