Criminals are getting more sophisticated in the tactics they’re utilising to defraud businesses.
A scam where criminals impersonate the email accounts of Chief Executives was announced to have cost global businesses more than $US2 billion in little over two years according to the FBI.
Recently, a client of ours was also caught out by this attack which cost them around $90,000, as well as a significant administrative impost. Fortunately, the client in question had the correct insurance coverage in place to recoup their losses.
In this month’s blog, we’re going to outline how to prevent and avoid fraudulent accounts payable scams so you can protect your business from these increasingly sophisticated threats.
No more Nigerian prince
Officials are calling this a cyber security attack and it is more sophisticated than what businesses have previously been facing. However, it’s nothing strong business process can’t prevent.
Perpetrators of the scam gain access to your business email account and watch your activity for a number of weeks. Gradually they build a profile of who you are as a business owner, how you speak, and who your suppliers are.
Then, they simply write an email:
We’ve made some changes to our invoicing system. Could you please deposit all future payments in the following account [account number].
As the FBI’s figures suggest, this is immensely effective and scammers are now putting in a lot of work to ensure they’re able to mimic your writing style as closely as possible.
While the email breach is clearly a cyber-attack, this threat more heavily relies on social engineering to scam the business. If you’re unaware of this phenomenon I suggest watching the following video.
Nobody thinks they’ll fall for an attack like this but you’re just as susceptible of contributing to the $2bn in losses as any other Australian business.
How can I protect my business moving forward?
This scam is defined as a “cyber-attack”, and yet all of the controls listed below have nothing to do with your IT system. Of course regular threat assessments of your IT systems should also form part of your overall cyber risk mitigation strategy.
There are four key areas you need to evaluate to guarantee your safety from this threat to your organisation.
- Ensure you’ve implemented a robust accounts payable process which guarantees separation of duties around vendor account setup and payment approvals.
- Develop a formalised process for banking. If a supplier is requesting a change of bank account details, there should be a formal process you follow to ratify with the supplier, not just an email
- Embed a business culture where people are unafraid to stand up and argue for the processes that you’ve implemented. Don’t accept short-cuts, particularly those from people in positions of authority.
- Review whether your insurance coverage is fit for purpose.
The last step is critical as it serves as your last line of defence.
The client I mentioned earlier was able to recoup the full amount of money lost via the scam because we ensured they had sufficient protection – do you?
The most important part of protecting your business is ensuring there is a robust process for managing financials. I’ve been in client’s offices and seen invoices come across their desk for false magazine subscriptions. Often they’re only $40 and people will just pay them, but what happens when it’s more money? Don’t set a dangerous precedent in your business.
At Victual, our extensive risk library provides a process and solution for managing these types of risks to your organisation. We also assist companies to build processes which make these types of attacks far less effective.
Remember, many of the controls for these types of attacks have nothing to do with enhanced cyber security! Fraudulent Scams directed at accounts receivable have always been around but now the stakes are higher! If you’re concerned about your current financial processes or insurance packages get in touch with the Victual team today.