Businesses must account for EOFY scams

Annual tax reporting, quarterly business activity statements, contract renewals, budget updates and meetings with accountants and advisors - the frenzy of business activity around the end of the financial year (EOFY) requires a great effort from professionals and businesses.

Click image to zoom Tap image to zoom

But the period also presents abundant opportunities for cyber criminals to launch scams.

"For most companies it's a question of when - not if - your organisation will experience a cyber attack.”

Busy professionals facing an influx of calls, messages and emails around EOFY are often under pressure to act on things quickly, potentially overlooking inconsistencies or unusual requests in correspondence. This creates the perfect environment for scammers to hijack communication and gain unauthorised entry to business networks and systems.

Ever growing reliance on technology and digitised business processes further increases the risk, despite the convenience and efficiency, expanding the digital ‘attack surface’ available to cyber criminals.

For most companies it's a question of when - not if - your organisation will experience a cyber attack.

In recent times, scammers have turned their attention to business email compromise (BEC), targeting transactions and payment systems due to the ease at which they can intercept business correspondence. Many of these compromised emails appear to represent existing suppliers, customers and even professional advisors such as accountants or lawyers, and request changes to account or payment details.

BEC is effective at evoking a response or call to action without including infected links or attachments which can be detected by antivirus software and spam filters and most observant recipients.

In the 2019-20 financial year there were 4,255 reports of BEC scams reported to the Australian Cyber Security Centre (ACSC) representing losses over $A142 million. Scammers target businesses of all sizes with BEC however micro, small and medium businesses are frequently targeted due to the lower level of investment in security, lack of dedicated security staff and lower maturity of security controls.

BEC is one of the most common scam types targeting Australian businesses and can involve a range of email, instant message, SMS and social media tactics to exploit business processes and relationships to scam victims out of money or goods.

Some of the most common BEC scams include:

  • Impersonation scams - scammers masquerade as lawyers, executives or even Australian Tax Office representatives, requesting changes to payment or account details.
  • Invoice scams - fake or altered invoices for goods and services are delivered on behalf of trusted suppliers, exploiting the busy accounting period.
  • Finance scams - official-looking correspondence regarding bank accounts, fees and fines, transactions, renewals, the Australian Securities and Investments Commission or myGov notifications.

Scammers also know they don’t need to target businesses directly and the impacts on businesses caught up in supply chain or third party attacks can be just as debilitating. Subcontractors and vendors in business supply chains present myriad opportunities for scammers looking to exploit legitimate business processes and relationships for financial gain.

Despite their best efforts to stay secure and protected against external threats, we often see business customers being caught out by BEC scams where criminals impersonate trusted business partners or long-term suppliers.

It doesn’t matter how robust an organisation’s security controls are, if they aren’t properly checking and validating email requests from all internal and external parties, they can easily fall victim to a BEC scam.

Responding to a threat

An ANZ customer received an email from a well-known offshore supplier requesting payment to a new account in the name of a sister company. The email advice included a suite of what appeared to be legitimate documentation. This wasn’t an uncommon request given the supplier’s base jurisdiction, as company structures changed frequently. Given language differences, most correspondence with the supplier was in writing, usually over email. The customer didn’t call to check the request with the supplier and paid approximately $US30,000 to the new account.

ANZ identified the payment as potentially fraudulent due to the account having the same name but a different number. The customer received an ANZ Falcon alert email, prompting them to re-check the email and realised the email address was not consistent with previous correspondence. They called the supplier who advised they hadn’t made any request to change account details. Ultimately, ANZ was able to retrieve the payment through the intermediary bank, with funds returned to the customer.

This customer had been targeted by phishing emails previously and was wary of cybersecurity threats, however they didn’t expect something so sophisticated and tailored. This experience served as a stark reminder that nothing should be taken on face value, everything should go through rigorous validation and due diligence processes.

To bolster their defence against cyber threats, the customer introduced additional security controls:

  • Tightened verification processes and approval requirements (including sign-off from supplier relations contacts as well as the finance team)
  • Phone call verification requirement for all account change requests
  • Multi-Factor Authentication (MFA) within the business
  • Additional cyber insurance

There are a few simple steps businesses can take to improve their security defences, including building a human firewall and making an organisation-wide “PACT” around security. PACT means:

Pause before sharing your sensitive information:

  • Does your organisation have an information classification approach?
  • Do employees understand what can be shared with whom and through which channels?

Activate two or more layers of security:

  • Turn on MFA for important tools like remote access systems and resources including cloud services.
  • Control access to systems and information.
  • Apply checks and validation processes to accounts payable functions.
  • Apply a Virtual Private Network (VPN) to create an encrypted network connection.

Call out suspicious messages:

  • Staff need an easy way to report concerns so they can respond quickly to events.
  • Make sure employees know what to do if their device is lost or stolen or they experience a cyber or information security incident.

Turn on automatic software updates:

  • Ensure your systems and applications, including Virtual Private Networks (VPNs) and firewalls, are up to date with the most recent security patches, including staff using Bring Your Own Devices (BYOD).
  • Whitelist software – ensure staff only use approved software and applications.

Employees can be a company’s most important defense in blocking cyber threats, so it’s important for people to be able to identify and act on cyber threats and stay vigilant at work and home environments.

Cosi De Angelis is General Manager for Transaction Banking & Asset Finance Solutions at ANZ

ANZ is committed to supporting customers to better understand security risks and help them defend against cyber threats. The ‘Simplifying Cyber for Business’ guide, available to commercial and private banking customers, refocuses cyber security at a business level and relates it back to customers in their everyday business operations. It is suitable for all levels of business customers and provides a range of tips to help detect and protect against key cyber threats.

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

08 Oct 2018

Cybersecurity risk in business – it’s personal

Cosi De Angelis | GM Transaction Banking & Asset Finance Solutions, ANZ

To truly assess risk, a digital business strategy must consider cyber risks inside the business and the home.

12 Aug 2020

Working together to fight cyber crime

Lynwen Connick | CISO, ANZ

The government’s new Cyber Security Strategy will help individuals and businesses of all sizes bolster against cyber-attacks.