Scammers use DocuSign API to send fraudulent invoices
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
In January 2022, Microsoft announced it was disabling macros in version 4.0 of Excel spreadsheets by default, so customers could stay protected from a range of security threats.
For accounting and finance teams, life without Excel spreadsheets would be unthinkable. So, what is involved in excel spreadsheet fraud, macros, what are the risks associated with using them and do you have anything to worry about?
In Microsoft Office suites, macros exist as a type of functionality that allow you to automatically run tasks that are executed repeatedly.
Think of a macro as a tool for recording the steps you take when performing a particular task in an Excel file. When run, the macro automatically records your mouse clicks and repeats those steps as many times as you want. For Accounts Payable (AP) teams, macros help save time by automating many repetitive tasks.
When executing a macro, a piece of programming code runs, but you don’t need to be a coder to set up macros in an Excel spreadsheet. However, if you wish to make advanced modifications to a macro, knowledge of Visual Basic Applications, or VBA, code will be required.
Every day, AP teams create spreadsheets to run reports, generate financial statements, prepare payment files and much more.
In many cases, AP officers are using Excel to solve problems that they have already solved many times before. In such situations, it makes sense to create macros to automate the process.
For example, suppose at the end of every month you need to generate a report of outstanding invoices your organisation needs to pay to suppliers. In these reports, you want to highlight outstanding invoices in red and apply bold formatting. With macros, you can quickly and easily apply such formatting.
Macros can help a department run much more efficiently – a terrific thing at a time when AP teams are busier than ever!
Eftsure recently reported that hackers are actively looking to embed malware within macros. When an unsuspecting victim opens an .XLS file, the malicious code is automatically executed.
Cyber criminals are using macros as a vehicle to automatically and secretly execute malware whenever the macro runs. As mentioned above, it is possible to edit or create macros using VBA code. Malicious actors use VBA code to craft malware, then embed this code into Excel macros, usually via an infected document.
The malware can then use VBA “shell” command to run arbitrary commands, or the VBA “kill” command to delete files. The “AutoOpen” function in Excel enables it to automatically run, whilst the “AutoExec” function allows it to automatically execute.
Unlike a traditional phishing attack, which requires the victim to actively click on a dangerous link or open a dangerous attachment to run malware, malware payloads delivered via macros do not require the victim to actively click or open anything. This makes them particularly difficult to detect and stop.
All it takes is for one AP team member to enable macros in an Excel spreadsheet and they could be putting the entire organisation at risk.
Malware could open the door to malicious actors, allowing them to infiltrate email systems and compromising sensitive information. It could pave the way for the manipulation of supplier data in ERPs or Vendor Master Files as a prelude to carrying out a Business Email Compromise (BEC) attack.
Whilst Microsoft announced that macros would be disabled by default from Excel version 4.0 onwards, it will still be possible to change Excel settings in order to enable macros. Given the efficiency benefits of macros for accounting teams, it is likely that many AP personnel will opt to enable macros in their Excel spreadsheets.
That’s why it’s important that AP teams understand the risks involved, and take appropriate precautions to use macros safely.
Here are some strategies to help mitigate the risks the come with using macros:
Excel is an indispensable tool for AP teams. Macros are a useful function that enable AP teams to perform more efficiently and effectively. Unfortunately, macros also present a range of serious risk of excel spreadsheet fraud that can allow malicious actors to infiltrate your emails systems, manipulate your data and launch Business Email Compromise attacks.
AP teams that rely on macros remain vulnerable to a range of threats that cannot be fully mitigated.
However, with Eftsure sitting on top of your accounting processes, you can rest assured that even if malicious actors use macros as a vehicle to launch a BEC attack – you can be protected!
Our proprietary database comprises banking data from over 80% of actively trading organisations in Australia. You can verify in real-time, immediately prior to processing EFT payments, whether the funds are being sent to the intended recipient. So, even if you have been subjected to a malicious attack, you are safeguarded against severe financial losses.
Contact Eftsure today for a full demonstration of how we will protect you from increasingly sophisticated cyber-crime.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Fraud can strike any time, but certain periods increase your business’s vulnerability to fraudulent activities. During these times, your teams may be …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.