All the news, tactics and scams for finance leaders to know about in November 2023.
Payment Security 101
Learn about payment fraud and how to prevent it
Each month, the team at Eftsure monitors headlines for the latest accounts payable (AP) news. We bring you all the essential stories in our Security Report so your team can stay secure.
A payment fraud tactic is gaining steam among scammers. Rather than just hijacking existing email threads, fraudsters are creating new ones that look and sound like they’re from the recipient’s bosses.
The tactic starts with a finance or AP employee receiving an emailed payment request and an invoice from a trusted supplier – crucially, a senior executive from the employee’s organisation will be CC’d on the email. Then the exec responds within the chain and asks the employee to prioritise the payment. But a closer look at the email addresses reveals that the entire “conversation” has been fabricated and the accounts are fake.
It’s not a new strategy. For years, fraudsters have been using all kinds of social engineering and business email compromise (BEC) tactics to trick staff into making fraudulent payments. But this particular approach appears to be gaining in popularity, and the appearance of a senior executive jumping in can lure some people into skipping their usual verification steps. Make sure your team is aware of the tactic and that they follow necessary checks before processing payment requests.
In its latest Targeting Scams report, the Australian Competition and Consumer Commission found that Australians lost a staggering $3.1 billion to scams in 2022, an 80% increase compared to 2021.
And the scam that impacted businesses the most? Payment redirection scams, also known as business email compromise (BEC). The ACCC says that the amount of money lost to these scams increased by 73% since the previous year, but it also estimates that only 13% of victims report to Scamwatch. Across reporting from Scamwatch, ReportCyber and the AFCX, combined losses from BEC totaled $224 million.
However, the report also estimated that 30% of victims don’t report scams at all, so it’s unclear just how vast (and costly) the problem might be.
ALPHV ransomware group is demanding payment after it claims to have stolen a four-terabyte dataset from Australian law firm HWL Ebsworth. This includes a wide range of internal and employee data, such as financial reports, accounting data, loans data and insurance agreements.
Crucially, it also includes client data, including credit card information and financial data. To further pressure the firm into paying the ransom, the Russia-linked hacker group is likely to drip-feed data onto the dark web, similar to what happened during Medibank’s breach.
The AFR is reporting that a forensic report connects the breach to an employee’s personal device – a stark reminder that human error still outweighs almost every other cyber risk.
With scam losses on the rise, the Federal Government is investing in protections for Australian consumers and businesses. It has allocated more than $87 million toward new systems, entities and capabilities, including:
These are all promising investments and smart steps for fighting scammers. But it’s unclear how many measures will be appropriate for organisations rather than individual consumers – for instance, investment scams primarily impacted consumers in 2021-22 while companies’ losses mostly resulted from BEC scams.
Australian enterprise resource planning (ERP) provider, TechnologyOne, is still investigating the access of its internal Microsoft 365 platform by an “unauthorised third party.” The company describes the access as “illegal” in a financial filing.
The software business says its customer-facing SaaS platform wasn’t affected since it isn’t connected to M365. It also says it managed to contain the threat and that the system was “successfully restored” a few days later, though investigations are still underway to determine impacts to customers.
Headquartered in Brisbane, TechnologyOne provides a wide range of financial features, including digitised and automated processes across accounts payable, accounts receivable and payroll. The business provides services for a multitude of prominent organisations, including the New Zealand Parliamentary Service.
Fortra says its GoAnywhere file transfer system was hacked because of a zero-day vulnerability – that is, a software vulnerability that wasn’t already known.
In a post-mortem report, Fortra says the vulnerability is what led to the compromise of end-user data, affecting a range of Australian organisations like Rio Tinto, Crown Resorts and Tasmania’s Department for Education, Children and Young People (DECYP).
With cybercrime on the rise, it’s critical to know what finance leaders are (and aren’t) doing to protect their organisations from digital …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.