Cyber Brief for CFOs: November / December 2024
All the news, tactics and scams for finance leaders to know for November / December 2024.
Each month, the team at eftsure monitors the headlines for the latest Accounts Payable security news. We bring you all the essential learnings, so your Accounts Payable team can stay secure.
Once again fraudsters were able to deceive an organisation into transferring a large sum to them through the use of a highly-sophisticated Deep Fake.
For any Accounts Payable team that is accustomed to verifying payment details through call-backs, the rise of Deep Fake technologies represents a whole new level of threat. Whilst you may think you’re speaking with a known individual, someone with whom you’ve spoken numerous times, the reality may be very different.
In early 2020, a bank manager in Hong Kong received an incoming call. In hindsight, this should have been his first warning sign. Criminals are increasingly resorting to spoofing phone numbers, which is why you should never blindly trust any inbound calls.
Upon answering the phone, the bank manager spoke with an individual who claimed to be the director of a company with whom he had spoken numerous times before. The voice was familiar and nothing about the call hinted at the possibility that this was part of an elaborate scam. The reality was that the fraudsters had used a recording of the company director’s voice to generate a Deep Fake that sounded absolutely realistic.
For more information on Deep Fakes, click here.
The alleged company director claimed to have negotiated an acquisition which would require transferring a total of $35 million to numerous third parties. The bank manager was advised that a lawyer named Martin Zelner would be in touch to coordinate the details.
Subsequently, the bank manager received numerous emails from Zelner detailing the various amounts that needed to be transferred to a variety of different bank accounts. One of these emails even included a letter of authorisation from the company director to Zelner to act on his behalf.
The bank manager, believing that this was a legitimate business acquisition, proceeded to action the transfers as outlined in the emails.
The victim company, whose funds were transferred to the fraudsters by the Hong Kong-based bank manager, are based in the United Arab Emirates. They have identified that approximately $400,000 was transferred to two bank accounts in the United States, and are currently seeking assistance from US authorities to try and recover those funds.
However, tracking down and recovering the remainder of the defrauded funds will be all but impossible.
This is an important reminder never to trust inbound calls, and to always be alert to the possibility of Deep Fakes. One of the most effective ways to determine the legitimacy of another party to a phone call is to simply ask them questions only they would know the answer to. For example, ask them to confirm the dates and values of the last three transactions between your organisations. In many cases, fraudsters won’t be able to readily answer such questions, giving you the opportunity to investigate the situation more closely.
If there’s one thing we know with certainty about scammers it’s this: They always follow the easy money.
Given that elderly Australians tend to use technology and online payments less frequently, and may be more trusting of information in emails, scammers are targeting seniors who are seen as easy victims.
In the latest scam targeting the elderly, a Queensland grazier lost thousands of dollars in a Business Email Compromise (BEC) attack.
After a legitimate fencing contractor carried out work on the grazier’s Childers property, he received an invoice via email for the work. The email advised him of new bank account details for the payment.
Not suspecting anything untoward, the grazier made the payment for the fencing work to the new bank account.
However, what he did not realise was that the email had been hacked. Scammers had manipulated the information in the invoice, replacing the legitimate bank account details with another account under their control.
“It appears that someone has hacked the grazier’s computer and changed the bank account details on the invoice,” Childers Police officer-in-charge Sergeant Geoff Fay said.
“The grazier has paid the money according to the invoice, which has basically gone into a dodgy account. They were elderly graziers who don’t use computers and online payment systems on a regular basis. Offenders play on the innocence of people in that respect.”
This is an important reminder for anyone making payments based on the information contained in emails. It is absolutely essential to independently source the phone number of the recipient, and then call them to verify the banking details. Never assume that you are too small to be targeted. Scammers will target anyone they perceive as an easy target.
When the former financial controller of leading political strategy firm Crosby Textor was charged with allegedly stealing more than $850,000 from the business, it highlighted the challenge of uncovering internal fraud.
It is alleged the former employee used his privileged position in the organisation to make numerous unauthorised payments from company bank accounts to his own personal accounts.
This case is a timely reminder of the importance of Segregation of Duties.
For further information on the importance of Segregation of Duties, click here.
Segregation of Duties remains one of the most effective ways to ensure that malicious insiders are not able to easily defraud the organisation that employs them. If separate individuals are responsible for preparing, verifying, approving and processing outgoing payments, it makes carrying out fraud considerably harder.
In practice, numerous individuals would need to conspire to commit the fraud, increasing the risk that their activities would be revealed.
Whilst it remains notoriously difficult to recover funds stolen through BEC scams, law enforcement are sometimes successful.
In a “Week of Action” spearheaded by cybercrime detectives within the NSW Police, over $1 million of stolen funds were frozen or recovered, and 20 charges laid.
This includes the arrest of a 23-year old individual. Police will allege in court that he fraudulently obtained numerous payments totalling $759,315 via an online BEC scam targeting a mortgage broker on Sydney’s Northern Beaches.
Additionally, a 20-year old was arrested. Police will allege in court that he dealt with the proceeds of crime valued at more than $100,000.
Aware of the growth in BEC attacks, local police are increasingly cooperating with other forces, both in Australia and overseas, in an attempt to disrupt criminal syndicates. Only through such cooperation can law enforcement improve their capacity to follow money trails back to the primary beneficiaries of these crimes. It also improves their chances of freezing and recovering funds.
That’s why it is critical that any individual or organisation that is targeted in a BEC attack report the case immediately to law enforcement. Such information can be crucial in their quest to put a stop to these crimes.
All the news, tactics and scams for finance leaders to know for November / December 2024.
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
The finance industry is undergoing a major transformation thanks to the rapid adoption of AI technology. Much of this trend has been …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.