However, among the most commonly affected are small and medium enterprises, which often lack the level of sophistication required to combat even the most basic of threats.
In particular, internal finance divisions – the functional area where invoices and payments are channelled, the division responsible for your money – are frequently targeted, with scams fooling even the most seasoned of finance professionals. While vigilance is critical, it’s no longer sufficient to protect your organisation from cyber theft.
According to the Australian Cybercrime Online Reporting Network (ACORN), in 2017 false billing was among the top-three scams in Australia, representing an annual increase of 324% and responsible for $22.1 million in false transfers according to Scamwatch. Pitcher Partners believes this is just the tip of the iceberg.
Below are two prominent scams to be aware of.
Payment redirection scams
Using information obtained directly by hacking you, or indirectly by hacking your supplier’s computer systems, a scammer poses as a regular supplier, informing you their banking details have changed. These requests often appear genuine, including branding and templates that make it difficult to distinguish from a legitimate request.
The scammers provide new bank account details, requesting future payments to be processed accordingly. In more sophisticated instances, scammers may intercept legitimate invoices in email transit, replacing them with an invoice with altered account details. Unfortunately, this type of scam is often only detected when the supplier requests overdue payment.
Perhaps more worrying is when personnel from your organisation are hacked and their email account used to submit illegitimate invoices with scammers’ account details to accounts payable. Sophisticated scammers may even state in the email that the change of bank details has been checked and validated. While it sounds like the plot of a movie, it’s a reality for a growing number of organisations today.
Keyloggers are most often used for the sole purpose of stealing usernames and passwords, and other confidential information. With your bank access details, cybercriminals can create or alter payment requests or even authorise transactions.
But how do they get access to your system in the first place? This can occur by simply clicking a link or opening a malicious document or website that contains malware. Documents may appear legitimate as though produced by an accounting package such as MYOB, Xero or Quickbooks. While this type of threat has implications for all personnel within an organisation, scammers often target generic accounts payable mailboxes and accounts payable staff, making it important to remain aware and vigilant.
To protect your firm, suppliers, clients and personnel, Pitcher Partners recommends developing and implementing a cybersecurity policy encompassing protocols, procedures, monitoring and training to reduce the likelihood of cyberattacks penetrating your systems.
A robust approach to cybersecurity involves planning, ongoing training, maintenance, monitoring and more. For guidance or assistance with your unique cybersecurity needs contact Pitcher Partners for a confidential discussion.
Learn how to protect your organisation from cybercrime with these expert tips. Click here.