Earlier this month the Australian Cyber Security Centre (ACSC) released its Annual Cyber Threat Report 2020-21. It found that business email compromise (BEC) scams rated as one of the top cybercrime categories, describing them as “sophisticated, insidious and growing as a threat to Australian organisations.”
What were ACSC’s BEC findings?
In relation to BEC events, ACSC found:
- The average loss per successful BEC attack was $50,600, up 54% on FY 2019-20
- $81 million was lost due to BEC
- More than 4,600 BEC scams were reported
ACSC received over 67,500 cybercrime reports in 2020-21, which was an increase of nearly 13 per cent from the previous financial year. This was largely due to the pandemic sending more people online and increasing opportunities for cyberattacks.
How do BEC scams work?
Cybercriminals compromise the email and IT systems of legitimate businesses. Using spyware, they observe company transactions, activities, and communications to identify opportunities for attack. Increased sophistication and careful premeditation have enabled BECs to have both a higher success rate and to be more lucrative.
Following their surveillance work, the cybercriminals will find a target to impersonate over email. This could be a senior figure in the company, such as the chief executive officer, or a business partner, such as an important supplier. The cybercriminals will then either send emails from the compromised accounts of their targets or create lookalike fake email accounts to impersonate them.
The scammers will then email company personnel with changes to banking details or requests for urgent payments to be made. Employees think they are communicating with a trusted associate when in fact they are being scammed. Often, they only become aware that they have been defrauded when the rightful recipient complains they have not been paid.
What form may BEC scams take?
ACSC identifies three common types of BEC:
• Invoice fraud – Criminals compromise a vendor’s email account and change banking details on genuine invoices to re-direct payment to their own accounts.
• Employee impersonation – Urgent email requests purporting to be from the chief executive officer or other senior leaders for specific payments to be made immediately – in fact, neither the payment nor the request is legitimate. Similarly, a cybercriminal may send a fake email instruction to change an employee’s banking details so their salary is re-directed to the fraudster’s account.
• Company impersonation – Cybercriminals may impersonate companies and order expensive goods for delivery to a specified location. The supplier then invoices the real company unaware that they have been scammed.
How to protect against BEC attack?
While organisations should take measures to monitor and protect their email communications, educating staff to be vigilant to this type of threat and simultaneously addressing poor business processes may be more effective at preventing this type of scam.
For example, entities that process a volume of invoices manually are most vulnerable to payment fraud as their accounts payable departments may be relatively chaotic. As a result, it may be more difficult to spot suspicious transactions.
How does AP automation prevent invoice fraud?
An accounts payable automation solution carries out routine checks on all incoming invoices. The system’s Optical Character Recognition (OCR) software extracts, validates, and processes data from invoices that suppliers have emailed, before triggering the appropriate approval workflow.
These verification measures include:
• Searching for any duplicates already in the automation solution or finance system and not re-processing these payables, except if the original is marked ‘Rejected’.
• Cross-checking the supplier’s ABN on the invoice with the Australian Business Register to ensure the supplier is a genuine business.
• Verifying that the payment details on the invoice match those held in the supplier master data files.
• Validating with the ATO that the supplier is registered for GST if it’s included on the invoice.
• Carrying out two-way or three-way matching of purchase order invoices with the purchase order and goods receipt note to ensure correct delivery prior to payment.
If any of these verification checks fail, the solution triggers an exception, putting a hold on the processing of the payable.
Automation frees up capacity for accounts payable staff, giving them the time to telephone suppliers or colleagues and verify that any change instructions delivered over email are legitimate.
Further, with accounts payable in good order and payments consistently made on time, any sudden payment requests are likely to look suspicious, warranting further investigation before they are actioned.
It’s time to e-invoice
The increase in BEC scams highlights the fact that email is an insecure channel that is frequently compromised. Therefore, it’s not the best way for businesses to transact, particularly as cybercriminals have become more sophisticated in their deceptions.
Email is now also an out-dated way of exchanging payables data as Australia has rolled out Peppol, which is national e-invoicing standard and framework. Peppol allows the exchange of procurement documents in a computer-readable format from one finance system to another via its secure, encrypted network.
Businesses need to register with a Peppol access point service provider and be authenticated by them to be able to send or receive e-invoices, making it very difficult for cybercriminals to infiltrate the network. This makes it a safer – as well as significantly more efficient – means of transacting.
Read more about Peppol e-invoicing here.
In the last financial year, BEC events increased with ACSC identifying this type of scam as a growing threat to Australian businesses.
While email security and staff vigilance are important lines of defence, deploying an accounts payable automation solution offers significant protection via in-built security checks and by freeing up time for accounts payable staff to verify any changes received over email.
In time, using email to send invoices will become obsolete as Australia has a national e-invoicing standard and framework in place. Forward-thinking companies may want to transition to Peppol e-invoicing now, and safeguard against the threat of a BEC attack.