Payment Security 101
Learn about payment fraud and how to prevent it
Niek: Okay, looks like we’re live. There’s already attendees rolling in. Hello, everyone who’s here. We’re just going to take a few moments for everyone to join and get the connections working. The number is rapidly increasing, so we’ll wait for that. Thank you all for joining us. My name is Niek Dekker. I’m the Head of Marketing at Eftsure. I’m joined by Gavin Levinsohn and Michael Galanos. Gavin is our Chief Growth Officer and Michael Galanos is one of our business development managers. Today we’re going to talk about the data breaches that you’ve seen in the news and how they reach you and how they affect you in your profession. Very hot topic at the moment. I’m not sure if everyone has seen the new Four Corners documentary about the cyber-attacks and the cyber-crime that was affecting Medibank. And there’s a lot more that Gavin will cover about that as well. First things first, let’s do a few housekeeping roles while everyone is still joining. We’re probably starting like a minute or two, so all the late comers can join as well. There’s me and there’s a team of people behind the scenes as well helping you with any answers that you have relating to technical issues.
So, if your sound cuts out or anything like that, just pop in a question and we’ll try to fix it for you. That’s going to be a bit difficult, but sometimes a few easy hacks can fix it for you. If you have questions about the content of what Gavin or what Michael is presenting, pop those in as well. At the end of the webinar, we’ll be talking about those as well. We’re just going to see if everyone has access to the question-and-answer tab. If you could type in where you are joining us from today, that would be amazing. We are located in Sydney, but I’m sure there’s people from all over the country at the moment as well. Toowoomba, Melbourne. There you go. Sydney, Brisbane, Sydney, Melbourne. It looks like we got a good representation over the country as well. Adelaide Hills. Perth. Christ Church, New Zealand. Welcome. Auckland. We got some people from New Zealand, always fun. Okay, so it looks like we have a good amount of people now to find the question tab. That’s always encouraging to see. There’s still some people joining, so I’m sure we’ll start.
Gavin: Yeah. Let’s give it two more minutes, Niek, because it’s ramping.
Niek: Yeah, sure. Christ Church, Perth. It’s like really the whole APAC. It’s awesome to see. Okay, let’s do it. There’s 300 people of you now on the call. Thank you so much. It’s amazing to see and it’s really encouraging for us to put content like this out. Thank you for joining already. Just for the people that came late, my name is Niek Dekker. I’m the head of marketing, joined by Gavin Levinsohn, chief growth officer at Eftsure, and Michael Galanos, a business development manager. We’ll be talking about the data breaches and how they land the finances door. Gavin will do the first start of the presentation. I’d like to hand over the work to him and then we’ll just go through it. It should take about 45 minutes and then 15 minutes of questioning and you’ll be ready at 1:00. Thank you.
Gavin: Thanks, Niek. Thanks again to all of you for joining. It’s really rewarding and just makes us want to produce better content and provide more insight to the Australian business community. As a payment control business, Eftsure, we speak to hundreds, maybe this year, into the thousands of finance leaders across Australia with a high degree of frequency. What we see is that there are really two worlds that operate in, let’s say, the cyber security to payment control continuum. And on the left is the world of your colleagues in the technology department in a bigger organisation headed by the CTO in.
Smaller organisation, perhaps the IT team, perhaps even someone on your team. But that is a world concerned with, let’s call it cyber security, which is protecting, putting a perimeter around your business to make sure that the data in your business is integrated, protected, and no one gets it who doesn’t get it. And then there’s the world of the finance team, CFO, accounts payable, financial leadership. And that’s not the world of cyber controls, the world of financial and internal control. And that’s concerns around policies and procedures, financial controls, vendor management, and really, we’re trying to protect the cash, financial integrity. And as a payments control business at Eftsure, we spend a lot of time in the world on the right and working out how we can enhance the financial controls of our customers and bring them into the digital age if you allow me a bit of poetic license. We spend our time there because it’s our business and we spend our time there because it is a growing problem. Frauds and scams that target the cash of your business and the commercial assets of your business are a growing problem. $277 million was lost to payment redirection scams in 2021 according to the ACCC.
That was a 77 % increase from last year. I’m actually aware that the ACCC put up new numbers. I think it was yesterday morning or Tuesday morning. I’m open to correction. But this week, a new report was published. My understanding is the numbers have continued to rise. $64,000 is the average lost to the most prevalent and most popular and the fastest growing cyber scam. And it has been so for the past few years, which is business email compromise, sometimes called supplier email compromise, the average amount lost to business email compromise scam in Australia last year was $64,000, which is a 26 % increase on the prior year. And what I’m going to say about any number you see is two things. One, always underreported. I did glance over the numbers published this week. They feel grossly underreported. That’s because not every scam has to be reported. Not every scam is reported. The other thing is the money’s lost, we like to say, is a third, which we’re being a bit aggressive, a fifth of the total economic impact on your business. If you lose $100,000 to scam, well, the real impact on your business could be $300,000, $400,000.
Why? You’ve got system downtime; you’ve got forensic investigations to do and pay for. You’ve got legal costs. There’s often staff morale and HR issues that flow from that. So, the impact is sizable. The statistics I find never tell the story as well as the headlines. And this is just a smattering of headlines from the past few years. And there are literally hundreds of these, sadly. And if you dig below the statistics and the headlines, really what you’ll see is three main scams. Supply email compromise, which I mentioned a moment ago, which is really about a supplier of your business being impersonated to you. A bank account number is changed and you’re paying the fraudster, but you think you’re paying the supplier. So that’s supply email compromise. An executive fraud is a variation on that theme. But instead of a supplier being impersonated, a senior executive is impersonated in the organisation and instructing the fraudster, impersonating that executive will instruct a junior member of staff to pay. Often those scams are highly nuanced where in both cases the fraudsters are mindful of the time of day, who they’re impersonating, the language that that person uses, their forward previous email trails.
It’s highly sophisticated, nuanced stuff, and they get you to pay the wrong person. Then the third type of scam we see is what we call it nefarious employee, but an insider scam, where someone on the inside is being malevolent or corrupt and purports a scam. All of those scams are normally effective because of a failure of something like password hygiene, which sits in the CTO bucket, and or a failure of internal financial control, which sits in your bucket. Regardless of the reason, as I said, a change in details where really a bank account is being… The fraudster’s bank account is being attached to the legitimate supplier’s name, the wrong payment being made, a financial loss occurring, and a very difficult recovery. Now, over the past few years, when we get asked, why is recovery difficult? Why don’t the banks jump to it? I will say this, in certain instances, if you can lean on a massive relationship at the bank, if you’re huge customer, maybe they’ll go the extra mile for you. But our real answer over the past few years was the bank doesn’t carry liability. Much to the frustration of the ACCC and some other lobbying bodies, the banks do not carry liability for an incorrect payment.
When you hit pay, approve, authorise, the liability is on you. In the UK, they call these scams authorised push payment fraud because you’re pushing the payment with your authorisation. However, liability is not the main reason anymore. The banks… It’s a key reason, but one of the reason… But it’s just another reason why the banks won’t do it. Increasingly, the reason is best articulated by Angus Sullivan, who’s head of retail at CBA, who has recently a second of Feb, said, Not only does the bank not carry liability, but it’s very difficult for them to recover the funds. Why? Because under new payment systems, including our NPP, which is gaining momentum in Australia, funds move even quicker. So they can move accounts faster, which means it’s harder to check. And secondly, the scammers have become, and cyber-criminal organisation, become more effective at understanding the route the bank will take to try to recover the money. So increasingly difficult. But everything I’m talking about really sits in this world on the right, scams and frauds and finance. Then over the past few months, as our headline and as Niek alluded to in the intro, there’ve been other headlines.
And you know what I’m going to put up next. Optus, September last year, shortly, sadly, followed by Medibank, November last year, and then as recently as a few weeks ago, Latitude Financial. Really, these are data breaches, and these are occurring in the world on the left. What this talk, what the bulk of today is about is really us explaining and proving out a point of view we have, which says that failures on the left, these data breaches are going to turn into massive risk risks on the right, commercial risks that target your teams and your money. In building the bridge from the left to the right, I’m going to start by just a little bit about putting these data breaches into context. Then the main bit of what I’m going to talk about is how that lost data might turn into scams and frauds, which are targeting you or your AP teams, how you might respond as a strategic framework. Then I’m going to glimpse into the future, and then I’m going to hand over to Michael for 10 or so minutes, who will talk about how Eftsure fits into that strategic response. But that will just be a small piece of today.
Really, let’s start by looking at data breaches. What’s the context for this rapid uptick in data breaches? Well, it’s the context of the history of crime. And while that sounds flippant, if we go back a 1,000 years and you wanted to get someone’s money, you’d probably use a sword, then a gun, then let’s go to the ’70s, ’80s, ’90s, you’d probably use code. And that’s obviously still in use today, whether it’s viruses or worms or denial of service attacks, you’re using code. But then today, a way to get money is actually extract data because data has so much value. There are a whole suite of applications you can use to do that. Then we’ll look at where to next. A subtheme which will come up today is this, that anything that can be used for good can be used for bad. Data has positive value for organisations. It has positive value for society, but it also has value for fraudsters. The applications that we use to produce growth and revenue and profits for our business can be used to use growth, revenue, and profits for fraudsters. That’s the theme today. But on this topic, I was recently sent this cartoon, and many a thing said in jest is real.
And yes, cyber-crime is a safe form of crime. As Peter Price, our colleague at Crime Stoppers, often tells us, extradition is very challenging. And that’s if you can find out who the criminal is. They’re in another country, but you even know who they are. And I can add latitude to that list. But these few data breaches that have been heavily reported in the press were just some of many in which Australian consumer, private consumer data was lost. And in fact, the Office of the Australian Information Commissioner last year under their mandatory scheme, which compels companies to report data breaches in the case of certain privacy being breached. Well, there were 853 reported in Australia last year to the OAIC. I can’t validate the next stats. I’m going to spit out, but I have heard, and I know it’s been reported that Australia experienced last year 20x law-abiding the global average of corporate data breaches. Now, I need to validate that fact. But let’s say it’s half true. We really have a problem, and then hence all the press. Why? Well, I think first reason, global illicit trade, and data, which I mentioned. The second point, which I’ll prove out later on is massive uptick in global volatility.
We’ve left from a pandemic to a European War to real beginnings of a reorganisation of international power and trade and geopolitical moves, environmental challenges, volatility goes up. We’re now peeking into a recession, perhaps. Global volatility goes up, crime goes up, cyber-crime goes up. That’s the second reason. Then you’ve got reasons that are structural to Australia. We’re a very affluent country, so there’s money to be gotten. We are a very structured economy. We are a law-abiding economy, certainly compared to many others. And as Angus Sullivan said on that previous slide in the quote, fraudsters know our response pathways. They know how we’ll behave. They know how public authorities will behave. They know how law enforcement will behave, which means they can plan their scams a bit better. And then lastly, a more debatable point, but I would like to believe, and I think it’s the strength of Australian society and the Australian business community, that trust is baked in. But if we trust each other, that trust can be weaponized for malevolent means. Those are some of the reasons. Just to step to the right a bit, and here’s a quick pro tip. I don’t know how many of you have heard of this website, Have I Been Pwned?
‘Pwned’ is a term that emerged from computer gaming as so many things do today. And really, if you want to find out if you’ve been pwned or owned by a data breach, go put your email into this website. It is reliable, it is valid, and it’ll very quickly spit back some of the data breaches that your email might have been compromised in. Here’s four from a while ago that mine were in. If you want to know what to do, no need to panic, but I would immediately go change the password that is associated to that email address in those application. I’m a big in my never-ending battle with my weight. I’m a user of my fitness pal and I immediately went and changed my password for that site, and I would do the same. But go check it out. That’s a bit of context. Let’s get into the beef. The beef is to really look at how those data breaches, Optus, Medibank, Latitude and the other 852 might lead to a massive uptick in scams and frauds that are not about getting data, but about getting, extracting from your bank account through misdirected payments.
So I’m going to use the Optus hack at the beginnings of a case study. And I’m going to say this, it’s very easy to get into a victim blaming situation with Optus, but they were a victim of a crime. It’s a nuanced crime. While we could always say the organisation could do better or protect data better, and I do understand why there’s so much distress because of the nature of the data loss and the volume of the data loss. It’s also equal to balance that frustration with the fact that Optus were a victim of a crime. And it was a crime that came to light in September last year when the hacker went onto the Dark Web and posted that he or she had extracted at that time, just the teaser 1.1 million records and really said, contact them on this confidential social media app called Telegram if they want to know more. As a quick aside, what is this dark web? Well, it helps to think of the web in just three buckets. There’s the Clear surface web, which you can find through Google or your browser. Net. Org. It’s just 5% of the web.
It’s what’s indexed by search engines. Then you get the Deep Web, which is 90% of the web. That really is that’s legitimate valid information. It’s not illicit, but it’s protected behind firewalls and get to it by passwords. That could be your shopping history. It could be Netflix’s film library. Then you get this place called the Dark Web, which is another final 5% of what’s out there. It’s highly anonymous. It’s hard to track. While it’s not all used for illicit purposes, it’s very effective in its use for illicit purposes. You can only get to it through a certain browser. On that dark web space, the hacker had posted that message. Then a week later, on the 23rd of September, at the exact same time that the hack became public, was made public by Optus, the hacker comes back and posts, hang on, I don’t have 1.1 million records. I’ve actually got 11.2 million records. Of the 11.2, across 10 million of them, he’s got what he calls address data, which is even richer data. Then the hacker says, if you look at the bottom of your screen, the hacker says, okay, if you want the data exclusively back, basically he’s talking to Optus.
If you want it back exclusively, so no one else gets it, I want a million dollars. That’s the message to Optus. If you’re not Optus and you want non-exclusive use of the data, i.e. You want it for your own nefarious purposes, you’re going to pay me 150 for the address data and 200 for the user data… Sorry, 200 for the address, 150 for the users. But the hacker offers a bulk discount. If you buy both sets of data, he or she will give it to you for 300,000. How do they want to be paid? In a very anonymous cryptocurrency called Monero, not all crypto is equally anonymous and hard to track, but that’s a conversation for another day once we pay it in Monero. But there is a footnote there which is crypto is going to accelerate cyber-crime. It’s a boom for cyber criminals. That’s posted on the dark web. At the same time, Optus go to their customer base. The right thing to do, Kelly does, when CEO goes to public and says, pretty much validates what the hacker is saying that this was stolen. Our first question in trying to build this bridge is, well, who’d want to spend $300,000 on the data?
If you’ve attended our webinars before, you’ve heard us speak at conferences, you’ll know we’re big on this point, which is it’s not more hackers. It’s not Neo from the Matrix. It’s not some Hollywood trope of a hacker. Hackers take data, and they’re probably not wearing hoodies in dark places. But nevertheless, hackers take data. They don’t use the data. They on sell the data to someone else. And who buys the data? Well, it’s cyber-criminal organisations that look less like teenagers and garages and more, if you look around your own organisation, they look more like us. Why? They’ve got shareholders, they’ve got targets, they’re commercial enterprises. They use the same technologies we use, but for different purposes. They’re intentional in their business goals. They’re organized in their business goals, and they need talent. They hire some of the best, most capable people. Just to underscore that point, this article was sent to me recently It’s an article about a Kaspersky study the Cybersecurity Anti-virus Protection Company Kaspersky did on the Dark Web’s job market. I looked into the study and on the left, you can see an org chart. An org chart for a hacking team on a hacking organisation.
And if you glance at the left of your screen, well, that might look a lot like some teams in your organisation. If you’ve got any software or technology development team, well, you’ll find an analyst, you’ll find a developer, you’ll find an engineer, you’ll find a designer, QA tester, and some administrative management people. You might not find an attacker and you might not find a reverse engineer. But I’m trying to illustrate quite graphically how organized these organisations are. And then on the right, what you can see is a study on the volume of job ads offered and searched for on the Dark Web over 30 months from Q1 2020 all the way up to midway through last year. Now, if you look at Q1 2020, what happened in that quarter? Well, COVID hit. Covid hit most countries. And look at the high, look at the volume of job searches, which I guess isn’t a data point to underline what I said earlier about in times of turmoil, cyber-crime goes up. So let’s answer that first question. Who would spend $300,000? Well, these very organized commercial cyber-crime organisations, they buy the information from the hacker.
Next question, more important, what do they do with it? Well, they’re not stopped because they don’t have the password. When Optus go out with their next piece of communication to their customer base, they do the right thing. They say to everyone, be vigilant, especially as consumers. Be extra vigilant. Look out for contact from scammers. I guess the point we would make is, well, how do you know it’s from a scammer? If you did, these things would be less threatening. And then they do say, and I understand that no passwords were compromised. But we’re here to tell you today that for a cyber-criminal organisation, not having the passwords is really mooted. It really doesn’t matter. And to explain why, I’m going to draw a parallel. And the parallel is that cyber-criminal organisations will operate very similarly to how our or your digital or modern marketing team might operate. So as a marketing team, this is how we operate. We start with a broad demographic list. At Eftsure, we build relationships with financial leaders, but sometimes also technology leaders and procurement leaders. So we’d start with a very broad list. We then segment that list into smaller audiences’ smaller segments, CFOs as opposed to accounts payable offices.
Accounts payable offices of large organisations compared to accounts payable offices of, let’s say, schools or not-for-profits. Maybe we’ve got a segment called chief procurement offices and so on and so on. We then run very targeted messages and propositions and campaigns, ad campaigns, content campaigns at those different segments. The goal of those campaigns in number 4 is to get a click or get some behavioural response so that we can engage this prospect and sell them our service. That’s how we operate. That’s how your marketing teams would operate. And to do that, we’ve got a whole stack of technology. Well, as I said earlier, very similar to how the organisation that buys the Optus data for $300,000 will operate. They’ll have this broad demographic list, 11.2 million records, and they need to enrich the data of that list. They then need to segment that list into sub audiences. They then need to… We do campaigns, they do scams. They’ll have schemes and scams against those audiences. Then they need to think about carefully what they need those audiences to do, how they need to respond to those scams so that it turns into money and into commerce.
To build the bridge, really, this is the crux of today. To build the bridge from the data loss to a scam that’s coming into your accounts payable team’s inbox. I’m going to do it as follows. I’m going to step through it. To enrich data, 11.2 million records is a lot if you bought all of it from Optus, from the Optus Hacker. Let’s just look at one record to start. You might recognize that very handsome face from Niek at the beginning of the webinar who’s hosting us today and managing the webinar. Niek’s our head of marketing, and Niek lives, like many of us, a very digital life in his personal life and in his commercial business life. Niek is interacting with websites, applications on his phone, on his desktop, through his television. And each time Niek interacts with a service or a provider on the web or piece of software, he has a unique identifier in that company’s database. And really, every modern company, any technology company today is a database company. And that identifier for data storage and privacy purposes is a unique anonymous number. But in each of those databases, and they’re different records and fields in each database, but in each of those databases, that unique identifier is connected to another unique identifier, be it name, an address, an ID number.
And often, the identifier that’s not anonymous, like a name or address, is behind a firewall and password protected. But that doesn’t stop, as I keep saying, it doesn’t stop cyber-criminal organisations because they can create relationships between all these data sets. This isn’t the first set of data they’ve bought. The second reason, which I’m going to show you now is that even if you can’t get to the password stuff, the password-protected stuff, the hidden stuff, the anonymous stuff, just through the web, any of us could find a huge amount of data connected up to be effective and run a scam. There’s a concept in cybersecurity called open-source intelligence, and it’s a fancy term for articulating how much publicly available information there is both to legitimate organisations for good purposes or fair purposes and available to hackers or cyber criminals. Just as an example of how much information there is, one proponent, one academic proponent of open-source intelligence, which again is used by governments for crime fighting purposes, has mapped it out. They’ve mapped it out in this quick diagram, which really looks at how quickly you can connect up publicly available information.
Dating websites. There’s the suite of dating websites. You can click on dating websites, and you can get to underlying databases and so on and so on. I could just let this diagram keep playing, but you get the idea. There’s a huge amount of data available online. Let’s just go back to Niek and say, what if all we know about Niek is his name and address? That’s all we know about Niek. Well, if we know Niek’s name, and I’m sure you do this often, you can go on to LinkedIn. And if you’ve got a purpose in mind, well, it’s interesting that Niek works at Eftsure. That’s who Niek works with and for. That’s who Niek’s team is. That you can deduce in a few seconds. Now I know all of the stuff about Niek. Now, let’s say I’ve got Nick’s address. That’s something that the cyber-criminal organisation bought. The hackers sold the addresses. If I know Niek’s address, I can go to any one of several publicly available sites. I think this one was Domain, but there are others. There’s some you can pay for, subscribe to, which gives you more information. But if you know Niek’s address, then you know maybe Niek rented this apartment in Manly, this lovely apartment in Manly.
And if I know that Niek rented that apartment, well, I could make some extrapolations about Niek’s income. But more importantly, I’ve got some context here. I know who Niek rented this from and when he rented it. He rented it from Stone Real Estate Manly in March of last year. Now I can add to his employment information, and I know a bit about income, and I’ve got a context. Now I’m starting to enrich the data. Now, if I do that across a lot of records, I can bundle into segments. We could create a segment. If we do the same exercise across a few hundred thousand or a few million records, we can build a segment and that segment might be rented something in Manly, or it could be rented apartments from Stone Real Estate Manly, or it could be executive managers who work in Sydney who rented from Stone Real Estate Manly. Maybe there’s another segment across the 11.2 million records called Bought a Home from Ray White. Maybe there’s another segment more in the business space which is recently changed the job and I’m an HR executive and so on, and so on and so on.
But you might be wondering, That’s a lot of work. How do you manually populate and enrich data across 11.2 million records? Well, you could outsource it. You could go on to an outsource freelance website like Fiverr and you can ask them to… You could pay someone $15 an hour to give you a script or write a piece of code for you or build a little tool to do this for you. But to be honest, going and getting some Python code done, that’s a bit 2020 or 2019. Today, I can go on to one of a suite of increasingly advanced AI tools. Obviously, the one that’s gotten a lot of headlines lately is Open AI’s tool called ChatGPT. Maybe some of you use ChatGPT to write your year 4 child speech on the first fleet, or maybe that was just me. But you can use ChatGPT not just to do English language processing, you can use it to do programming language processing. I went on to ChatGPT and I just said, write me a Python script to extract data from the web. It took ChatGPT a whole five seconds to do that. There’s the example on the screen.
That’s how you enrich data across 11.2 million records. Easy. Now, I’ve got rich data on 11.2 million records. I’ve grouped them into segments. How do I run a scheme? How do I execute a scam? Well, you need a channel, and you need a goal. The channel, I’m afraid to say, and you’ll know this, is email. Now, Michael Connery is really a leading light in cybersecurity in Australia. He does work for government; he does work for enterprise. He knows his stuff. Michael has been saying since 2018, 90% of all the attacks and schemes and scams and breaches that he has been called in to remediate or investigate start with or include email. Now I’ve got a channel, but what’s my goal? My goal is a click. I could never say it as well as Brad Smith, Chief Legal Officer of Microsoft, who said a very true thing. Every company has at least one employee who will click on anything. In fact, I say Brad hasn’t actually hit it hard enough yet. We modify it by saying every company has at least one employee who will click on anything once because you just need one click.
I’ve got my segments. I’ve got Niek Dekkers’ who have rented something from Stone Real Estate Manly. I’ve got my channel, which is email, and now I’ve got my intent, which is a click. Here’s my scam. Hey, Niek, quick one. It’s Linda from Stone Real Estate Manly. I tried calling you regarding your rent, but we have two phone numbers on file. Can you confirm which one is the correct one? And click on this link to do that. Those are my variables. You can just change that from scam to segment to segment to scam. Just remember, the hackers just remember, the criminals just need one click. They don’t need many clicks; they just need one. That’s a scam in the consumer space. In the business space, it gets more complex. The threat area gets broader. Why? Because it’s not just that every company has at least one employee who will click on anything once. Every company has at least a supplier with one employee who will click on anything once. Now, that’s a much more complex problem. Here’s an example of a scheme run along the same logic I said, but instead of impersonating Stone Real Estate Manly, the fraudster, the cyber-criminal organisation is impersonating a supplier, a contractor, to one of our large construction and engineering customers.
In the same way that the fraudster in the consumer example would run it against all sorts of different people who have rented apartments. Well, the fraudster here would impersonate the supplier and run it against all that supplier’s customers. And you’re just looking for one click. Obviously, I’ve redacted for confidentiality reasons. We did manage to stop this fraud. It saved the customer company paying three progress payments, which totalled $1.1 million. We do have a case study on that. So that’s an example of a scheme. The next question is, what happens if the fraudster is successful in securing that click? What happens? Well, a suite of things could happen. The first thing might be that the fraudster inserts more listening software or Trojans or malware onto the computer to try extract more data or get logins or so on. That’s something. The other thing the fraudster can do is insert some remote access software. This is a remote access software tool called Remcos. It’s available for as low as $85. Totally legitimate piece of software. Once again, I’ll remind you of my subtheme today, which is everything that can be used for good can be used for bad, and this can be used for good.
An IT team might use a tool like Remcos to remotely access computers to fix an email problem you have or restore a file you’ve lost. But fraudsters can use it to illicitly gain access. Here’s a YouTube video we found I’m not going to play the video but in about 20 or 30 minutes, someone explains how you can use Remcos to get access of a computer that you have no right to get access to. Those are just examples of what happens when you click as a result of the scheme. But the click is not enough. The fraudsters have to generate revenue. And one way they generate revenue is just selling the access. They can sell access into a company. They can go back onto the Dark Web and say, Hey, one access into this organisation, here’s how much it costs. Sometimes the IT teams are really good. And to put it in local terms, they lock the front door. Their perimeter defence is really good. So you can’t just get access to computers, in which case the fraudsters are increasingly going through the back door. And the back door, what is the back door in our language?
The back door is a failure of payment or financial controls. Much harder to get right. And that and I know I’m belabouring the point, but I can’t stress it enough. That is, unfortunately, not just about you controlling your own systems and access to those systems. It’s not just about making sure your staff behaviour, hygiene, culture, training is good. It’s about creating some integrity in your supplier community, and that is extremely difficult to do. There are very few ways to do it. Michael, in the last 10 minutes of today’s talk time, will all speak about that. I’m going to hand over to Michael in a few moments. But how do you keep yourself safe when a failure in a supplier organisation renders you vulnerable? And that’s business email compromise. That’s why these scams are growing because they’re effective. And my point today in building the bridge, and I’m going to put the last brick on the bridge, our point is these data breaches, Optus, Medibank, Latitude Financial. And unfortunately, I’m not going to be wrong in predicting they’re going to be more. What they are nitrous oxide, they’re steroids. They’re an accelerant for the volume and efficacy with which these scams can be purported because the fraudsters are better at impersonating people.
So that’s the bridge. How do you respond? How do you go about doing this? Well, I can summarise by saying this, you bring these two worlds closer together. Borrowing from the work of someone called Nigel Fair, who’s the ex-lead investigator for the Australian Federal Police’s high-tech crimes unit. And certainly, he’s a director of the University of New South Wales in Canberra. And he’s really, again, another leading light in cyber security in Australia. He speaks about having a cyber-crime strategy as distinct from a cyber security strategy. And Nigel’s really unpacks us in detail. But in simple terms, it’s about finance, taking some responsibility for cyber security and getting closer to the CTO. In fact, Mr. Fair says he thinks the CFO is actually the logical owner of the whole strategy. I would say involvement is good enough. What is that strategy? It’s about financial control. It’s about bringing financial control together, getting closer to the CTO. How do you do that? Well, we say there are five parts to it. There’s technology, there’s culture, there’s improving internal controls, there’s pressure testing, and there’s training. Let’s start with training. Training is critical. If you’re a big organisation, pay someone to come train your teams.
Sorry, if you’re a big organisation, either pay someone or ensure your IT department have the resources to actually do training and simulation of your password hygiene. That’s ineffectual if you don’t have culture. Culture keeps these things alive. What’s that’s the key point of culture? Well, high shame threshold. What do I mean by high shame threshold? You need, in your broader organisation, but certainly in your finance teams, you need people to be able to put up their hand really quickly. And so I clicked on the wrong thing. Or should I click on this? Or I left my laptop in a cab. The quicker people are not embarrassed about doing those things, the quicker you can get into action and the quicker you can stop the scams. Scams, frauds, and the breaches are all like forest wildfires, which we know too well. If you crack on it when it’s an ember, you can stop it. When the forest is burning, it’s very hot. Internal controls, well, that’s about what we’ve all learned as financial leaders, accounting leaders, AP leaders. Segregation of duty is critical. Audit trails are critical. Very important that you manage staff exit well. Time and time again, staff exit is poorly managed, so people sit with access long off their left the organisation.
Call back controls. We know that’s a line of defence. Michael is going to talk about why they’ve got to be done perfectly and the myriad of ways in which they fail. Suppliers call back controls. Pressure testing. This is important. In the cyber security world, we pressure test access through penetration testing. The company is doing it. Why don’t we do that with our controls? Why don’t you pressure test your payment controls, your internal controls? Pressure test then by simulating what hackers might do. Get your CEO to write an email to a junior member of staff instructing them to make a payment on a Friday evening to a supplier that’s not in your master file. Try something like that. Duplicate invoices, pressure test your internal controls yourself and see what happens. Don’t punish people but see what happens. Works out how to improve. Lastly, there’s technology. I’ve always been mindful about talking about technology as a technology vendor. But here’s the truth. As the world gets more complex, you probably need more complex solutions. If I go back to the marketing analogy, in marketing, three years ago, we started with one or two applications. We now have seven and they make us better at marketing.
It’s the same with your tech stack around cyber security and controls. Now, that’s a strategic response. I’m very mindful of time because I want to give Michael and I’ve gone a bit over. So in terms of where is it going in the future, well, we see it changes psychologically and it changes technologically. I don’t have time to go through these things, but I’m just going to take one more minute and summarise by where it’s going with the sentence which has two points. Point one is AI. It’s going to be used for harm and that is a concern. Point two is synthetic media, synthetic video. Consider this. So that’s a piece of software. It’s made with this tool Metahuman. It’s been used in advertising and gaming and commercial purposes, but it can also be used for fraud and the level of detail. If you shrink Morgan down to a little square box on a Teams or Zoom or Google Hangouts, well, he can purport to be anyone, CEO and so forth. So that’s a bit of where it’s going in the future. But really, I want to hand over to Michael. And Michael is going to revisit what we said about cyber-crime strategy as opposed to cyber security strategy.
These five buckets I’ve just mentioned. And Eftsure is a part of one of those buckets. It’s a technology solution. And really, if I had to summarise what Eftsure does, earlier on I said your IT team need to be good at closing the front door. What Eftsure does is it closes the back door. It makes sure that even if these scams and frauds come out at you, which they will, that the money is not lost. Even if the hackers get in, even if the fraudsters get in, we close the back door, so the money is not lost. Michael, you can take it from here for the next and final 10 minutes and then we can do some Q&A.
Michael: Perfect. Thank you, Gavin, and thank you for, I guess, a great run through of exactly what we are seeing in this cyber landscape currently, which really has created a heightened risk environment. And as Gavin mentioned, that real need to have those necessary measures in place to improve those controls and ultimately to protect your organisation. And that’s really what we here at Eftsure are working to provide is that opportunity to bring your organisation’s financial controls into the digital age. Because with all these things, Gavin, mentioned both as the way the risk has escalated in the past, but also as it is continuing to escalate in the future, it’s important to have those controls and procedures in place that are also evolving over time to ensure your controls aren’t just keeping up, but are actually staying five or 10 steps ahead of those trends we’re seeing in fraud in the market to keep you protected and make sure you aren’t the next victim in one of those headlines. What we’ve done here at Eftsure in order to provide a solution in that space is actually quite unique. What we offer with our customers, which really spans across all industries, shapes, and sizes, because as we’ve learned earlier today, fraudsters don’t discriminate.
They will target absolutely anyone and everyone that they can. What we’ve utilized is really the power of the people through our own independent database of verified supplier information. Here on the screen, I use the example of some of our foundation customers as an example of how we’ve built this database over time. We didn’t go out and buy a data set of verified vendor information. We built it ourselves organically over the last nine years as we have verified these suppliers on behalf of our customers. Now, let’s say for example, Griffith University was our first ever customer. They had 1,000 suppliers. We verified all 1,000 suppliers on their behalf. Then going forward from there when we brought on our next customer, say it was Blue Scope Steel, they had 1,000 suppliers and we verified, say, 950 of them because we found 50 had already been verified with Griffith and were in our database. Going forward, we then bring on 711 who we see even more of an overlap with that supplier information. And then so on so forth, over the last nine years, we’ve built this database that now sits at over 3.8 million suppliers on behalf of our 1,600 plus customers.
And those overlaps I mentioned are actually quite key because they, in their own regard, provide an extra layer of verification and protection for our customers that would be impossible with their own internal processes, which really is, as I mentioned, that power of the people. If we have multiple organisations who are all paying the same supplier into the same account, that provides another layer of protection. And those organisations can rest assured that those details are correct because they’re all working together. I mean, rather than the way business is normally done where everyone does their business in their own independent isolated manner, relying on their own internal controls and checks, here we are using that crowdsource approach to provide you with that ultimate level of protection and verification. Now, that database is something that if you can imagine your company joined into. It would also provide you with that protection where you would very likely have a lot of suppliers that are very similar to our customers, if not the same. We have about 93 % of all Australian suppliers currently verified in this database, meaning you would be able to pay them with that same confidence as our current customers, knowing exactly where those funds are going to be going, which is to those suppliers.
And this is also a database that continues to grow every single day as we sign up a new organisations and verify new suppliers on their behalf, ensuring that each of our customers has all of their suppliers in this database. Now, going forward from there, the way we’ve turned that database into a comprehensive AP solution is through a software that really protects you at all points in that payment process. So we start with your current vendor data that would be sitting in your ERP system, where we do a full cleanse and audit of that information to ensure what is currently sitting in your system is correct and up to date, because vendor data can get quite messy over time, which increases the risk. And then going forward, when you bring on new suppliers or change an existing suppliers’ details, this is very high risk with all these factors we mentioned earlier because you have no idea where this information is actually coming from. So we will do that verification for you before the information even enters your system and your network to ensure that it ends up in the right place. Then going forward from there, we will instantly verify every single payment you make both in an ABA payment file as well as live in the banking environment before you process any payments in the bank.
So I’ll show you how each step works now here starting at the banking point. So when you’re actually live in your banking environment, whichever bank it may be, you see something very similar to what’s on the screen in front of you before you approve a payment. Now, as Gavin mentioned, we do speak to hundreds, if not thousands of Australian finance leaders every single year. And when we do get to this point in the process, a lot of CFOs and financial controls will tell me, we might sit there and we might spot check a few of the suppliers or a couple of the big ones, but no one really has the time to sit there line by line and check every single supplier every single time, which ultimately leads you exposed to that risk where you often don’t know where all these funds are going. What we provide here at Eftsure to provide you that protection and verification is actually a live overlay in your banking environment. So you would use the bank as per normal, but our browser extension overlays these alerts as you can see on the screen to ensure you have that protection and verification.
Now, what’s happening here is our thumbs in the middle of the screen are verifying the BSB and account number or whose name you’ve entered, and that agrees for what we have verified in our Eftsure database with that power of the people. So the simple green thumbs up when the matches work, you know you’re paying the right account. A red thumbs down will identify a mismatch and a potential payment going to the wrong account. We do still take it a step further where we add extra compliance alerts. So on the left, we have a live feed to the ABR, which will flag any vendors who aren’t registered for GST or have an invalid ABN. That’s a check that’s done every single time you’re making a payment. So you have that ongoing compliance monitoring. But also on the right, our dollar sign will flag any payments that might be a potential duplicate payment, as well as any payments that exceed a threshold or limit you may have set for one of your suppliers as well. So ultimately, you’re able to see all this information at a glance. These alerts do pop up instantly. So saving a lot of time for you and your finance team, whilst also dramatically improving that security, because you’re able to check every single line item every single time you’re making a payment.
But even before we get to the bank, that’s obviously the last point in your payment process. We also have the ability to check your payments at the ABA file. We can actually be uploaded into our online Eftsure portal, where we can provide you those exact same alerts, I just showed you in the bank, but you can see them earlier on in your payment process. So it gives your team that security and assurance before the details are even uploaded into the bank for review and payment, that those details are correct, nothing has been corrupted or manipulated in that payment process, and you will be paying the intended vendors. It does also mean in the case of if there is an issue, you and your team are able to identify that much earlier on in that payment process, helping speed things up in terms of the remedy for that potential missed payment. Those alerts are issued both before and after the upload of that payment information to ensure your funds are always going to the intended recipients and you aren’t a victim of these cyber-crimes. Then to take a step back and look at how we manage that vendor data, we start with what’s currently sitting in your ERP.
So we do a full cleanse and audit of the information that is in your ERP where you would upload into our online Eftsure portal. We can then identify a number of issues that might be present with each of your suppliers. We will go through every single one, check every detail is correct. Then once we’ve done that initial audit, we see on average about a 25% anomaly rate across our customers because as I mentioned earlier, vendor data gets very messy over time. So by cleaning that data up, you have a massive reduction of risk upfront. And then going forward, when you bring on any new suppliers or change existing suppliers’ details, we verify and check that new information for you before it even enters your ERP. So that could be either entering the invoice details into our portal or using our digital onboarding forms, which can be fully customized, including the addition of any documents, certificates, or licenses you need from your suppliers. We can onboard, store, and track the expiry date of that information as well. But those forms or the invoice details can then be sent to us where we will then contact your supplier on your behalf.
All that needs to be done from your team is to enter the contact information of the supplier and that is it. From there, we will automatically contact the supplier on your behalf, where they will receive an email with your logo and ours, and they will begin by entering their ABN, assuming they have one. That will then instantly verify the ABN and GST status whilst also providing us with the pre-population of some of their details using data straight from the ABR. From there, we have three verification methods which can be used to verify that supplier’s banking details to ensure they are correct before they are even provided back to you and your team. So the first one is that cross-match I mentioned earlier. If they are already in our database, we can cross-match with what has been verified previously and what our other customers are paying. If they’re not in our database, we have the capability to directly verify through their bank with our unique bank link where they can actually select the bank they bank with and we can directly extract their BSB account number, account name straight out of their bank. So no manual data entry or human error at all.
The information goes straight from their bank to us. It’s only if we can’t use one of those two methods, we can then use our own independent phone call verification, where our team here at Eftsure, short of highly trained verification specialists who have undergone stringent fraud detection training, will independently source the phone number of your supplier to ensure we’re not relying on anything from an email or invoice that could be corrupted. But also, across all three of our verification methods, we’re also tracking things like the IP address of the supplier, so we can see their location, we can see if they’ve used the VPN, we check when their web domain was registered to make sure it’s not a spoof impersonating a supplier. So a number of additional checks for every verification that really no way pay team in the country has the ability or resources to do to ensure you have that ultimate level of security for all these verifications. And then after we’ve done all this for you in the background, we provide you and your team with a full breakdown and summary in our portal of all the vendor’s information and the relevant verification status, which you can then review, approve, and then directly download into your ERP without having to manually enter those details, as of course, manual labour can increase that risk of a human error occurring as well.
So this is all done, as you can imagine, to provide a comprehensive solution to ensure you’re protected end-to-end at any point where fraud can occur. And with that in mind, we do have quite a proven track record of preventing some major frauds on behalf of our customers and clients. We do catch multiple frauds per week. And also from an efficiency perspective, by having these enhanced digital controls in place, it does actually save a lot of time for you and your team. We found about 28 minutes is safe for every supplier you onboard or change with us. And also about a minute per line item in your payment review or an hour for every 60 line items, for example. And even some of our customers would even say it’s one and a half FTEs, they say 30 hours a month, five hours a week. And I guess depending on the type and shape and size of your organisation as well, those efficiencies can continue to grow. So from there, I’ll hand back over to Gavin, who will help wrap it up and put things all together from there.
Gavin: Thanks, Michael. I think really that brings us to the end. I see there one or two questions next out, Niek, I can answer those questions because I can see them here. But really, just to acknowledge the following, which is if you want to know more about cyber-crime strategy, we’ve got this guide on our website. You can use the QR code, but quite simply go to Eftsure.com or Eftsure.com.au they both work. Then just to acknowledge the work of Nigel Fair, who wrote this amazing book, Cybercrime in Australia, if you want to know more. In terms of the questions, and sorry, also just to thank the over 330 people who are still on this call, even though we’re getting to the end, I got a question which is someone wanted to know, what would happen? We get asked this a lot. What would happen if Eftsure gets hacked? There are a few points I want to make. Obviously, we are a security organisation where ISO certified, it’s our business, we have to be careful. But we also don’t think we’re fireproof. That would be naive. And we know in cyber security, there’s no such thing as perfection.
So rather what I’ll back that up with is saying we’re a messaging service, actually. We’re not a payment gateway. We monitor the payments, we enrich the data, and that produces the thumbs and the alerts that Michael said. In the highly unlikely event that someone got into our system, we would simply inform everyone to ignore the thumbs. That’s one thing we could do. The other thing is because our system is matching our database data with what’s in your VMF, your vendor Master file, keeping those things in sync. If a hacker got in and started fiddling with our data, all that would happen is all your information would go red. Everything would go red. In other words, the system self-regulates, and self protects. So if you wanted… If that wasn’t clear, happy to take it offline, you can shoot me an email at Gavinl@eftsure.com or respond to one of our follow-up emails and we’ll provide more detail in that answer. But essentially, all that a hacker could do is change the data in our database and create more mismatches. What would happen is you’d get red thumbs, and the red thumbs said you don’t pay.
Moreover, we’d inform everyone to not trust our signal. There’s no commercial risk for our customers in that. The other question I got is why isn’t dual factor… I think the person means dual factor authentication mandatory on our tool portal. We have to follow what our clients want. We recommend 2FA. Some customers choose other security measures like SSO. Instead of 2FA, we encourage everyone to use it and it’s available to all our customers. In terms of suppliers, well, we need the mobile numbers of suppliers to force suppliers using the portal. You’re verifying through the portal to turn on 2FA. Whatever possible, yes, but sometimes we can’t get the mobile information from our customers and our suppliers and so forth. So we turn it on wherever possible. Are there any other questions, Niek? Yeah, I got two more questions regarding suppliers overseas. So one is, does this service work for overseas suppliers? And the other one is the coverage for New Zealand suppliers. Let Michael take those. Do you want to answer those, Mike?
Michael: Yeah, of course. So in terms of New Zealand suppliers, we have actually launched our product in New Zealand as well. So we do provide full coverage over New Zealand. That’s not a problem at all. In terms of the international suppliers, are expanding worldwide beyond just Australia and New Zealand. The onboarding forms, for example, that I mentioned as part of step two of our solution, those can be sent out to any supplier in the world, which can help automate and streamline the capturing of that data for you. In terms of the verification of those suppliers, we do have the ability to verify internationally. It’s currently to a limited number of predominantly English-speaking jurisdictions. So for example, the US, UK, Canada, Singapore, Philippines are a few. But we are constantly expanding that roadmap as well as we expand it nationally to more countries throughout China and Europe, Asia, and Europe as well, for example.
Gavin: And then there was one more question, a good question, what happens to a business if a business leaves Eftsure? What happens to their data? So we adhere to the highest standards of Australian privacy law. The relationship between that leaving business and its suppliers will leave with that business. We don’t retain the relationship and that data. If the data is cross-matched, if the data is cross-matched with what other Eftsure customers are doing, there’s no way to extract that. But the unique relationship a business has with its suppliers in terms of when, how, what it pays, that is protected both during the life of the business working with Eftsure and return to them afterwards. But the cross-match data, the fact that a supplier was cross-matched, well, there’s no way of extracting that and that would work against the solution itself. Michael, anything to add on that if I wasn’t comprehensive in that answer.
Michael: I think you hit the nail on the head. And we do. If there was an onboarding situation we can remove, well, we do, I should say, remove any confidential information that is strictly based on your organisation alone.
Niek: There’s a few more questions. I can go through it. Yeah, you want to take those. Yeah. So I’ll start with the recording. Yes, we’ll send an email with the recordings. There will also be a link to the cyber security guide that Gavin has mentioned. And we will also include a documentary that Four Corners released two days ago going deeper into what happened to the Medibank hack. It’s quite interesting and it’s like a bit of a follow on of the content that we presented today. Now, I also got a question from William Rowland, Is your data encrypted and if so, where and how? Yes, it is encrypted. You can read more about that on Eftsure.com/security. That’s where all the security information is. If you want more information around the security, we are always happy to get you in contact with our dedicated security team. All our data is housed in Australia. Yeah. Then I think this one is for Michael, the best one to answer. With the International Supplier Verification, is that from Eftsure data or other external sources?
Michael: With the International Supplier Verifications, we are directly verifying with the suppliers themselves across border. We do even have a late-night verifications team who do actually work across time zones around the world to ensure we have that capability to directly verify with each of these suppliers themselves. Essentially, yes, it is Eftsure data that is being used because we’re verifying it ourselves directly with those suppliers.
Niek: Then I think Jeffrey had a good question, which is really goes to show the strength of the database that is underlying of Eftsure. When a supplier uses bank details, are all Eftsure clients notified?
Michael: I’m happy to run with that one. Basically, yes is the quick answer. That’s, as Niek mentioned, a real benefit where we’ve had a myriad of instances where an organisation may not be aware someone’s changed their bank account, they go to pay them into the same account they’ve always used. We actually issue them alert and alert to say, this account you’re paying is actually no longer valid for this supplier. Their account has been changed, which then allows that customer of ours to receive the updated information from that supplier and then pay the correct account going forward.
Niek: Then conversely, we keep a blacklist of fraudulent accounts, and the entire community of members and suppliers get the benefit of that. Then William has a lot of good questions. Another one around privacy regulation, how it’s moving more to the EU type of regulation and how we are set up for that. Do you want to take that, Niek, around the? Obviously, we’ll be following all the privacy regulations that are there. I think we already would we have our data ISO encryption, what was it again, 27001 that we comply with. Anything that becomes regulation, we’ll be complying with and do a bit more as well.
Gavin: We also take all privacy advice from Peter Leonard, who I would arguably say is the leading privacy authority on the law in Australia. But yes, it’s our business to keep up with that, and we will adhere to as it evolves.
Niek: So, if you have very specific questions around privacy security and all of that, we can get you in touch with the experts on our side as well. So, yeah, that’s an option. Okay. I think those are all the questions that we’ve had come through. We’ll be sending the recordings over probably later today, so you can share that with your team and then take it from there.
So, if there’s nothing else… Thank you very much. We’ve been a bit over time but thank you for the time. Thank you, everyone. Yeah, have a great rest of the day. Thank you. Thank you. Bye.
Segregation of duties is critical for safeguarding business finances – and keeping auditors happy. Eftsure makes it easier, helping you...
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.