08 Oct 2018
Annual tax reporting, quarterly business activity statements, contract renewals, budget updates and meetings with accountants and advisors - the frenzy of business activity around the end of the financial year (EOFY) requires a great effort from professionals and businesses.
But the period also presents abundant opportunities for cyber criminals to launch scams.
"For most companies it's a question of when - not if - your organisation will experience a cyber attack.”
Busy professionals facing an influx of calls, messages and emails around EOFY are often under pressure to act on things quickly, potentially overlooking inconsistencies or unusual requests in correspondence. This creates the perfect environment for scammers to hijack communication and gain unauthorised entry to business networks and systems.
Ever growing reliance on technology and digitised business processes further increases the risk, despite the convenience and efficiency, expanding the digital ‘attack surface’ available to cyber criminals.
For most companies it's a question of when - not if - your organisation will experience a cyber attack.
In recent times, scammers have turned their attention to business email compromise (BEC), targeting transactions and payment systems due to the ease at which they can intercept business correspondence. Many of these compromised emails appear to represent existing suppliers, customers and even professional advisors such as accountants or lawyers, and request changes to account or payment details.
BEC is effective at evoking a response or call to action without including infected links or attachments which can be detected by antivirus software and spam filters and most observant recipients.
In the 2019-20 financial year there were 4,255 reports of BEC scams reported to the Australian Cyber Security Centre (ACSC) representing losses over $A142 million. Scammers target businesses of all sizes with BEC however micro, small and medium businesses are frequently targeted due to the lower level of investment in security, lack of dedicated security staff and lower maturity of security controls.
BEC is one of the most common scam types targeting Australian businesses and can involve a range of email, instant message, SMS and social media tactics to exploit business processes and relationships to scam victims out of money or goods.
Some of the most common BEC scams include:
Scammers also know they don’t need to target businesses directly and the impacts on businesses caught up in supply chain or third party attacks can be just as debilitating. Subcontractors and vendors in business supply chains present myriad opportunities for scammers looking to exploit legitimate business processes and relationships for financial gain.
Despite their best efforts to stay secure and protected against external threats, we often see business customers being caught out by BEC scams where criminals impersonate trusted business partners or long-term suppliers.
It doesn’t matter how robust an organisation’s security controls are, if they aren’t properly checking and validating email requests from all internal and external parties, they can easily fall victim to a BEC scam.
Responding to a threat
An ANZ customer received an email from a well-known offshore supplier requesting payment to a new account in the name of a sister company. The email advice included a suite of what appeared to be legitimate documentation. This wasn’t an uncommon request given the supplier’s base jurisdiction, as company structures changed frequently. Given language differences, most correspondence with the supplier was in writing, usually over email. The customer didn’t call to check the request with the supplier and paid approximately $US30,000 to the new account.
ANZ identified the payment as potentially fraudulent due to the account having the same name but a different number. The customer received an ANZ Falcon alert email, prompting them to re-check the email and realised the email address was not consistent with previous correspondence. They called the supplier who advised they hadn’t made any request to change account details. Ultimately, ANZ was able to retrieve the payment through the intermediary bank, with funds returned to the customer.
This customer had been targeted by phishing emails previously and was wary of cybersecurity threats, however they didn’t expect something so sophisticated and tailored. This experience served as a stark reminder that nothing should be taken on face value, everything should go through rigorous validation and due diligence processes.
To bolster their defence against cyber threats, the customer introduced additional security controls:
There are a few simple steps businesses can take to improve their security defences, including building a human firewall and making an organisation-wide “PACT” around security. PACT means:
Pause before sharing your sensitive information:
Activate two or more layers of security:
Call out suspicious messages:
Turn on automatic software updates:
Employees can be a company’s most important defense in blocking cyber threats, so it’s important for people to be able to identify and act on cyber threats and stay vigilant at work and home environments.
Cosi De Angelis is General Manager for Transaction Banking & Asset Finance Solutions at ANZ
ANZ is committed to supporting customers to better understand security risks and help them defend against cyber threats. The ‘Simplifying Cyber for Business’ guide, available to commercial and private banking customers, refocuses cyber security at a business level and relates it back to customers in their everyday business operations. It is suitable for all levels of business customers and provides a range of tips to help detect and protect against key cyber threats.
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
08 Oct 2018
12 Aug 2020