Scammers use DocuSign API to send fraudulent invoices
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Most CFOs and Accounts Payable (AP) managers are all too familiar with the risks posed by Business Email Compromise attacks – but are you aware that cyber-criminals are now adopting a new tactic? The latest cyber-crime now impacting AP departments is called Business Communications Compromise, or BCC.
In this blog we explore the rise of BCC attacks, why they pose a serious threat to your organisation and how you can protect your organisation from being scammed.
In a Business Email Compromise (BEC) attack, cyber-criminals find ways to compromise email accounts. Once on the inside, they proceed to manipulate payment details in supplier invoices that have been sent to your AP department.
When unsuspecting AP staff pay the invoice, they inadvertently send the money to a bank account controlled by the scammer.
Cyber-criminals have been actively perpetrating BEC attacks for years. Whilst many AP teams still fall victim to BEC, email is no longer the sole means of communication for many AP staff. This is motivating cyber-criminals to look for new ways to carry out their scams.
Knowing that many organisations now rely on a range of communications and collaboration tools, cyber-criminals are finding new ways to attack their targets. They are now exploiting a range of other communications channels, from Zoom to Slack.
This type of attack is called Business Communications Compromise, or BCC, in recognition of the fact that you may be vulnerable in multiple ways, not just through email.
The pandemic led to a digital transformation in the way millions of people work, including AP teams.
With staff working remotely, it became essential to identify new ways of communicating and collaborating. As a result, staff in many organisations embraced a whole range of new tools. Within a very short space of time, we saw the widespread adoption of tools such as Zoom, Teams, Skype, Slack, Discord, Google Chat, and many more.
All these communications and collaboration channels were critical in enabling businesses to continue functioning through the pandemic. Even after most organisations have returned to the office, these tools remain in widespread use – with no sign that the trend will be reversed.
As with all digital transformation, they can deliver significant efficiency dividends, but also open up new opportunities for cyber-criminals. In this case, we are seeing the rise of Business Communications Compromise.
It’s not just employees within your organisation making use of these communications tools.
On many occasions, your staff will use these applications to conduct meetings with external participants, such as clients, business associates, or suppliers.
Whilst most of these external participants are trustworthy, there is a risk that some of them may be malicious. It may be possible to upload and share malicious files through these applications. Such malware could grant that individual remote access to your network, allowing them to defraud your organisation.
Another attack vector could see cyber-criminals impersonating executives within your organisation through these communications channels. If attackers manage to obtain access to an executive’s system through phishing techniques, they could use these communications channels to instruct AP staff to process unauthorised payments.
Sophisticated cyber-criminals have even been known to create Deep Fake video and audio messages in which they impersonate an organisation’s executives. In these messages, which are sent via the communications tools, the cyber-criminals could issue unauthorised payment instructions to unsuspecting AP staff.
BCC attacks are proving notoriously difficult to prevent. Unlike emails, which can be carefully scrutinised before any links are clicked, the new generation of communications and collaboration tools encourage users to interact with them at a rapid pace. This increases the likelihood that a user may inadvertently click on a link without firstly checking whether it appears suspicious.
These tools are also often accessed from personal devices, such as mobile phones and tablets. Often, these personal devices do not have the same security features as corporate computers, nor are they configured correctly. This makes personal devices more vulnerable, which could allow cyber-criminals to gain access to them, before pivoting towards the communications and collaboration tools.
Finally, many staff have received extensive training when it comes to the threats posed by malicious emails. However, few organisations are providing training when it comes to the use of the new generation of communications and collaboration applications. Many staff may be unaware of the risks involved, and will be more trusting of messages they receive which appear to have been sent by their senior managers.
All these factors make stopping scams that are perpetrated through these tools extremely challenging.
Protecting your organisation from BCC scams is not easy. Your AP staff rely on a range of communications and collaboration tools to work efficiently, particularly at a time when hybrid work is so widespread.
Sophisticated cyber-criminals are taking advantage of this fact by using these channels to deceive AP staff into processing unauthorised payments to bank accounts they control.
Expecting your AP staff to identify and stop every malicious attempt to use these tools as a vehicle for defrauding your organisation is bound to fail. Your AP staff are busy and do not have the training needed to prevent increasingly sophisticated cyber-criminals.
You need a tool that will safeguard your financial assets.
With Eftsure sitting on top of your accounting processes, payments that are not being sent to an intended recipient can be flagged in real-time, allowing your AP team to pause and investigate further.
Contact Eftsure for a demonstration of our platform and start protecting your organisation from Business Communications Compromise today.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Fraud can strike any time, but certain periods increase your business’s vulnerability to fraudulent activities. During these times, your teams may be …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.