Cyber Brief for CFOs: November / December 2024
All the news, tactics and scams for finance leaders to know for November / December 2024.
Each month, the team at Eftsure monitors the headlines for the latest Accounts Payable news. We bring you all the essential learnings in our Security Report, so your accounts payable team can stay secure.
This accounts payable security report November 2022, we explore the ties between the banks and business email compromise (BEC), cost of scams, impersonations of law firms and malicious text messages.
Despite calls for the banks to be liable when scammers succeed in redirecting funds to their own accounts, it appears the Government will not hold banks responsible.
Financial Services Minister, Stephen Jones, rejected the idea that banks should be held liable for payment redirection scams, such as Business Email Compromise. According to the Minister, making banks pick up the tab would only lead to an increase in scam activity.
The Minister did support setting high standards for banks to follow, which should limit the opportunities for scammers. However, assuming banks meet these high obligations, then they should not be held financially responsible for refunding misdirected payments to scam victims.
“If banks always pay the net result creates a honey pot for scammers,” Jones said.
Given these sentiments, it appears clear that banks in Australia will not be financially liable for payment redirection scams any time soon. Ensuring funds are sent to the intended recipient will continue to be the responsibility of the sender for the foreseeable future.
Scam rates are surging, with Australians on track to lose a whopping $4 billion next year.
That figure is more than double the amount lost last year according to Australian Government figures. Given that many scam victims are reluctant to come forward, it is likely that the real cost is even higher.
With scams now impacting many thousands of Australians, the Government announced it will spend $10 million to finance a National Anti-Scam Centre.
“When Australians are struggling with cost-of-living increases, to have their life savings ripped away from them is just unbearable,” Financial Services Minister, Stephen Jones, said.
“That’s money that should be in the small businesses or households, not flowing to these criminals and scumbags ripping Australians off.”
The new centre will be overseen by the Australian Consumer and Competition Commission (ACCC), the agency that runs Scamwatch.
A Business Email Compromise (BEC) syndicate named ‘Crimson Kingsnake’ is impersonating well-known international law firms to trick recipients into paying fake overdue invoices.
It is believed they are impersonating lawyers as their targets are likely to be intimidated when receiving threatening emails from large law firms.
Analysts report having identified 92 fake domains linked to these scams. Each fake domain is similar to a genuine law firm domain.
This tactic is known as ‘typosquatting.’ It is a tactic that often succeeds in deceiving victims as the email address appears authentic at first glance. The body of the emails contain the logos and letterheads of the impersonated entities. The emails are also crafted professionally, without spelling or grammatical errors.
The international law firms being impersonated include:
The scammers are using a tactic known as “blind BEC attacks.”
They send an email to a target advising that they have a long-overdue invoice. If the target responds asking for additional information, the scammers provide a fake description of the legal services that were rendered.
In cases where the target disputes any outstanding invoice, the scammers also impersonate an executive in the targeted company, approving payment of the invoice.
Accounts payable staff are starting to realise that sophisticated cyber-criminals may seek to deceive them by impersonating their organisation’s senior executives, such as the CEO or CFO. This makes it harder for the criminals to use email as a vehicle to launch phishing attacks.
But, as always, cyber-criminals are adaptable. When one attack vector starts to become less effective, they pivot to a new attack vector.
According to reports, cyber-criminals are increasingly turning to messaging apps, such as WhatsApp, to target AP staff. In the latest trend, a scammer will impersonate the CEO of the AP staffer’s organisation. In the WhatsApp message, he says he is traveling in Asia and asks the AP staffer to organise a Zoom call. Once on the Zoom call, the scammer claims to have audio problems and requests to communicate via text.
Using the chat function, he asks the AP staffer to send company data to a link he provides. AP staff members may be asked to provide sensitive company information or even login credentials to various systems, such as bank accounts.
Before providing any sensitive information via messaging apps, such as WhatsApp, AP staff should always verify that they are actually communicating with the person they think they are communicating with.
All the news, tactics and scams for finance leaders to know for November / December 2024.
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
Discover key insights from the OAIC report on data breaches, including the impact of human error and strategies for CFOs to protect their organisations.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.