Is Your Company Vulnerable to Account Change Fraud?
As published in IT News, a business in South Australia has been relieved of $1,500,000 as the result of a concentrated yet straightforward fraud operation run by overseas attackers.
Two other companies have also been targeted to the value of more than $400,000 but those funds were prevented from leaving the country.
South Australian police issued a warning to businesses after the victim was the target of a spear phishing campaign which saw attackers gain access to emails in order to learn more about the inner workings of the business. Once they had learned enough they executed an Account Change fraud where they emailed, phoned and mailed the target pretending to be a key supplier, advising the target of a change of bank account details and requesting invoices be paid there.
The fraud was successful and resulted in the payment of the money to an Australian bank account where an accomplice known as a “money mule” then arranged an international transfer.
Although the fraud could have been stopped at several layers of IT, the final failure was a human one. Accounts Payable policies in many Australian businesses have not kept pace with the sophistication of attackers, so a simple phone call to a known contact inside the supplier was not made. The attackers managed to convey a credible front and that was the final piece of the scam that made them millionaires.
April 2021 Update – Business Scams Cost Australian Businesses Millions
Things haven’t changed much since October 2016 – business scams remain an effective tool in the hands of malicious actors.
The “Targeting scams 2019” report by the Australian Competition & Consumer Commission (ACCC) states that Business Email Compromise (BEC) caused reported losses of $132 million in 2019 – the largest losses of any scam type in that year. Nearly synonymous with account change fraud, BEC is a scam where scammers send emails to business clients, often impersonating business suppliers requesting a change of bank account details.
2019’s BEC figures were a significant increase from over $60 million reported losses from BEC in 2018. In 2017, losses from BEC were over $22.1 million.
In the 2019-20 financial year, ACSC’s ReportCyber tool reported 4,255 BEC scams, with total losses exceeding $142 million.
With all that in mind, Business Email Compromise is likely to grow even further. Worse, scammers appear to be employing the latest technologies to make more sophisticated schemes.
In this regard, ACCC warns about the potential dangers of emerging technologies, particularly deepfakes. Deepfakes are replications of a person – in photo, video, or audio – generated by artificial intelligence (AI) algorithms.
Co-founder and CEO of cybersecurity firm Tessian Tim Sadler remarked in 2020 that deepfakes open the door for cybercriminals to impersonate executives. Given how convincing deepfakes have become already, they pose an increasing concern for cybersecurity experts.
Deepfakes have been used by malicious actors at least once. In March 2019, criminals used artificial intelligence to mimic the voice of a German firm’s chief executive and request a transfer of £220,000.
Business scams aren’t only targeted at CEOs – they can attempt to deceive lower-profile employees as well. A compromise even at the level of reception staff can cost you millions, so it’s important to identify vulnerable links in your team and treat them quickly.
Does your company need to update its Accounts Payable policy?
