The end of the financial year (EOFY) is an infamously busy time. By this time of the year, many accounts payable (AP) teams are already working through a whirlwind of tax returns, bookkeeping and completing pay runs.
Scammers are aware of the mounting admin duties. They target AP staff during this period, capitalising on feelings of urgency and chaos to deceive busy teams into making the wrong payments or giving away the wrong information. Even the most eagle-eyed staff are more likely to skip controls or overlook warning signs when they’re stressed or time-poor.
In 2023 alone, Kiwis lost at least $198 million to scams. And, unfortunately, those are just the numbers that have been reported – true figures could be even larger.
Finance leaders, make sure you’re one step ahead of the fraudsters and cybercriminals. In this article, we’ll dissect common EOFY scams to help you keep your team and organisation safe.
Cybercriminals are always hunting for new tools, technology and tactics for evading your anti-fraud controls. However, they’re also perfectly happy to follow a proven game plan, which is why there are a few tried-and-true scam techniques to watch out for.
Here are some of the most common ones.
This type of social engineering scam involves an email or phone call in which scammers impersonate legitimate sources – such as Inland Revenue (IRD,Te Tari Taake) or a financial institution – while requesting personal or financial information. It’s important to remember that government agencies will never request sensitive information via email or text, so be wary of any unsolicited requests.
Similar to phishing scams, with tax refund scams, AP teams may come across a smishing scam orchestrated by cybercriminals disguised as government agencies such as Inland Revenue or even local police. Scammers may contact your AP team claiming to be from the IRD, supplying receipts for refunds.
Make sure to always verify the authenticity of any refund claims with the relevant agency directly.
BEC scams involve cyber-criminals accessing a company’s email system and impersonating staff, such as the CEO or CFO, to request fraudulent financial transactions. Scammers are known to use effective psychological tricks to fulfil a BEC attack. For example, scammers will seek to deceive their victims into acting quickly, creating urgency. AP staff need training to help them identify which emails are legitimate and which are suspicious. Read more about BEC tactics here.
Fraudulent invoices, also known as false billing scams, may be sent to businesses in an attempt to deceive staff into paying for goods or services they never received. In case your vendor’s email has been compromised, make sure to verify the request through a strong call-back procedure.
To protect yourself and your suppliers against these EOFY scams, it’s important to stay vigilant and adopt measures that minimise your risk. This includes basic security hygiene, such as multi-factor authentication and choosing strong passwords.
But this isn’t just the jurisdiction of security or IT teams – no matter how strong your security controls and defences might be, your financial processes will be the last line of defence if one of your suppliers suffers a security breach. Fortunately, there are a variety of ways that
finance leaders can shore up their defences ahead of the financial year-end.
Scammers are keen to exploit this reporting period by targeting individuals and businesses rushing to meet their tax obligations and close off time-sensitive tasks. But some common red flags can alert you to these scams – even during busy, hectic phases.
Let’s take a closer look at some of the most common red flags and how to prevent scams.
Ever received a surprising request or message that’s outside of normal processes? One that wasn’t preceded by, say, an in-person conversation with an executive explaining the situation? DANGER ZONE. These messages might turn out to be legitimate, but they should be presumed malicious until proven otherwise.
That’s because an unsolicited email or phone call is one of the most common signs of a tax scam. It’s best practice to confirm the company email address, along with verifying the recipient through a call-back. If you suspect that you’ve received a suspicious email, then report the scam to the appropriate authority (a cheat sheet provided by Te Tari Taiwhenua Department of Internal Affairs can help you determine the best organisation to contact).
Another warning sign is an offer that seems too good to be true. Scammers may offer to help you claim a large tax deduction, offer a refund that is much larger than expected or promise to reduce your tax bill to an unrealistic amount. These offers may be presented in a way that seems official but is actually fraudulent.
If you receive an email, phone call or offer that seems suspicious during the EOFY period, be sure to investigate further before providing any personal information or funds. Check the sender or caller’s credentials, look for spelling errors or unusual language, and verify the offer through other channels before taking any further action.
Whether it’s a typo, a slightly incorrect email address or supplier details that don’t look quite right, little flaws can indicate a big risk. You should always double-check senders’ email addresses (scammers are hoping you won’t notice that your CEO is messaging you from “totallylegitaddress183839@hotmail.com” instead of their usual email). However, since email inboxes can be hacked and addresses can be spoofed, remember that a legitimate-looking email address isn’t sufficient proof of authenticity.
Scammers aren’t famous for their elegant, error-free prose, so keep an eye out for grammatical mistakes or turns of phrase that don’t sound natural. However, remember that generative AI tools like ChatGPT are helping even the laziest of fraudsters churn out legitimate-sounding text. Again, this is just one red flag to watch – flawless writing in an email or SMS won’t guarantee its legitimacy.
This one is tough because EOFY tasks really do tend to be time-sensitive. Because of scammers looking to capitalise on this reality, receiving urgent requests should be a reason to slow down, not to rush through usual control processes.
Fraudsters are getting better at imitating the polite language of most corporate environments, but sometimes threatening language still shows up in EOFY scams. Colleagues are more likely to ask things like “What’s a realistic timeframe for this?” or “Do you think finishing this by Friday COB is feasible?” Your mileage may vary, but be on high alert if a message threatens severe consequences for not fulfilling a request right away.
While the EOFY period is underway, one of the most effective ways to protect your organisation is by fostering a strong security culture. This includes raising awareness about EOFY-specific risks, identifying EOFY scams and educating employees about how to differentiate between genuine and suspicious messages. Ideally, training is interactive and doesn’t just happen once a year – training modules need to happen routinely to reinforce messages and update staff on new scam tactics.
Further, CFOs play a crucial role in creating an environment of openness and transparency regarding potential data breaches. By encouraging staff to report any potential risks, organisations can cultivate a culture that motivates employees to be more proactive in identifying and reporting suspicious emails. Staff should never feel shy to raise their hand and ask if a message is legitimate, or to promptly inform someone if they think they’ve clicked on something malicious or suspicious.
While generative AI has proven beneficial across several business applications, especially in industries like healthcare and manufacturing, cybercriminals are also harnessing powerful AI tools that can aid in their malicious activities.
The increasing usage of generative AI models like ChatGPT presents new risks that financial professionals should be aware of.
One major threat is the use of large language models (LLMs) and AI-generated content to refine social engineering tactics like business email compromise (BEC) attacks and phishing campaigns. LLMs can help attackers craft more natural-sounding and grammatically correct messages, overcoming red flags like spelling errors that might raise suspicion. AI writing assistants can also help cybercriminals overcome language barriers, enabling attacks in markets they previously struggled to penetrate.
Additionally, AI models trained on stolen personal data can analyse large datasets to identify vulnerabilities and high-value targets. Some advanced attacks even leverage multi-persona impersonation, with AI facilitating believable back-and-forth conversations to build trust before delivering malicious payloads.
Synthetic media includes artificial audio, video and even faces. Deepfake audio and video have already been used in high-profile “CEO fraud” cases to impersonate executives and deceive employees into transferring funds. One of the most notorious cases is the Hong Kong incident in which a finance employee overcame initial scepticism and transferred a fraudulent payment after seeing deepfaked coworkers on a video conference call.
As this technology becomes more accessible, scammers may attempt to impersonate known business contacts using synthetic versions of their voices and faces during video calls. This could diminish trust across organisations and supply chains.
Security experts caution that the full extent of generative AI’s potential risks is still unknown. These powerful models can exhibit surprising behaviours and unanticipated capabilities, making it difficult to predict how threat actors might weaponise them in the future.
In light of these emerging AI-enabled threats, finance teams must implement rigorous verification protocols, increase security awareness training, and stay vigilant against evolving social engineering tactics.
Nonprofits are prime BEC targets—see real attacks and what finance leaders must do to protect funds, data, and mission-critical operations.
Manufacturers are top targets for BEC scams. See 6 real cases that expose how attackers steal millions—and what finance teams must do to stay protected.
See how 5 real BEC scams stole millions from healthcare orgs—what finance leaders must know to stop attacks that target payments, data, and operations.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
