Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
No, we are not talking about tax fraud. However, we are talking about something that’s just as malevolent.
In this case, “ATO” refers to Account Take Over. Specifically, ATO fraud refers to an act by a cyber-attacker in which they assume control over one or more of your systems as a precursor to defrauding your organisation.
In this blog, we will explore ATO fraud, why it represents a threat to every Accounts Payable (AP) department, and what you can do to prevent your organisation falling victim to ATO fraud.
According to a Juniper Research report, the world is facing an unprecedented surge in ATO fraud. This threatens the security of entire accounts, alongside associated payment data. Global ATO fraud is expected to cost in excess of $206 billion over the next five years.
For any finance or accounting executive seeking to strengthen their organisation’s resilience against fraud, ensuring your systems are not susceptible to account take overs must be an urgent priority.
Put simply, ATO fraud involves credential theft, perpetrated by cyber-attackers, with the goal being to defraud a victim organisation.
Typically, ATO fraud starts with compromising credentials. Cyber-attackers will seek to obtain usernames and passwords to applications, such as email accounts or online bank accounts, that will give them the ability to steal the organisation’s financial assets.
Some of the common methods cyber-attackers use to perpetrate ATO fraud include:
Attackers engaging in ATO fraud may infect your organisation’s computer systems with malicious software, or malware, that is designed to steal user credentials. Common types of malware used in these types of attacks include spyware and keyloggers.
Spyware is a type of malware that is designed to gather intelligence on an organisation and access its confidential data. Spyware is specifically designed to steal confidential data, including login and password credentials to networks, files and applications, including email accounts and online bank accounts.
Keyloggers are a type of malware that records every keystroke typed on a keyboard. It can also allow cyber-attackers to obtain confidential authentication details, such as logins and passwords, once again giving the criminals access to the organisation’s online bank accounts and email accounts.
Phishing uses electronic communications channels to deceive staff into taking an action that they otherwise would not take.
When it comes to ATO fraud, we see many cases where phishing emails are sent out by cyber-attackers which include malicious links. These direct unsuspecting staff to a fake online banking webpage that looks identical to the real online banking webpage. The staff member innocently enters their online banking username and password.
At this point, the attackers have managed to gain the login credentials to the target organisation’s online bank accounts, paving the way for ATO fraud.
Social Engineering is the attempt by cyber-attackers to deceive staff into revealing confidential information, such as usernames and passwords to corporate systems. A variety of methods may be used to conduct Social Engineering, including email, telephone and social media communications.
Social Engineering works because it takes advantage of the innate human desire to be helpful. A sophisticated cyber-attacker will have already conducted extensive background reconnaissance and will be highly experienced in the art of deception. For example, they may impersonate representatives of your bank as a way to deceive staff into revealing online banking credentials.
All too often people reuse the same password across multiple applications. This increases the risk that if a cyber-attacker manages to obtain login credentials to one system, they will attempt to gain unauthorised access to other systems using the same credentials.
This is a particular problem given the volume of usernames and passwords that can be acquired through the Dark Web.
Using automated scripts, cyber-attackers attempt to gain access to thousands of web applications using stolen credentials. Sometimes this results in them successfully accessing email accounts or online bank accounts, paving the way for ATO fraud.
Using automated scripts, cyber-attackers may seek to bombard a web application with thousands of potential passwords. Often they will attempt commonly used passwords, or passwords that have some relevance to the user they are seeking to compromise.
When users do not select sufficiently complex passwords, it makes the chance of a brute force attack succeeding more likely.
Once an attacker gains access to an application through a brute force attack, they will be able to engage in ATO fraud.
With decentralised staff, the risk of a man-in-the-middle attack has risen significantly.
Man-in-the-middle attacks involve cyber-criminals setting up fake Wi-Fi networks in public locations. Staff may think they are connecting to a secure public Wi-Fi network, for example in a coffee shop, when in actual fact they are allowing an attacker to eavesdrop on all their communications and access data being transferred over the internet.
This opens the door to the attacker to access confidential login credentials to systems such as email or online bank accounts. Armed with a username and password, the organisation will find itself exposed to a fraud event.
Once the cyber-attacker gains unauthorised access to your online bank account, they will often sit in wait until the ideal opportunity arises for them to launch a fraud event. During this time they will likely mimic normal user behaviour, in order not to raise any suspicions.
When the cyber-attacker determines that the time is right, they will most likely engage in one of the following attack vectors:
With access to an executive’s email account, an attacker may impersonate the executive to issue instructions to staff to process payments to a bank account controlled by the attacker.
With access to an organisation’s Accounts Receivable (AR) email account, an attacker may issue fake invoices to the organisation’s customers, with any payments directed to a bank account controlled by the attacker.
In the event that a cyber-attacker gains access to an organisation’s bank account, they will likely choose an opportune time, such as during the weekend or a public holiday, to transfer funds out of the account and into a bank account they control. Selecting the right time can ensure that alarms are not raised until it’s too late.
Cyber-attackers may steal other sensitive corporate data that enables them to engage in a range of other crimes by impersonating the company’s executives. Known as Business Identity Theft, this can pave the way for the attacker to obtain loans or credit in the organisation’s name.
With determined cyber-attackers hunting for any opportunity to perpetrate ATO fraud, it is critical that every organisation has controls in place to protect its financial assets.
Eftsure is a unique fraudtech solution that cross-checks all outgoing payments in real-time against a proprietary database comprising over 2 million Australian organisations. This will help mitigate the risk of a range of ATO fraud attempts, such as fake instructions from executive email accounts to process payments, or fake invoices sent from a supplier’s email account.
Contact eftsure today for a full demonstration of how we can help you prevent fraudulent attacks against your organisation.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.