Accountants, finance professionals a top target for cyber criminals

In 2023, a “strange gap” emerged which saw Australian businesses spending record amounts on cybersecurity, while the losses to cybercrime increased substantially, said Shanna Hall, senior content marketing manager at Eftsure.

The problem is often a lack of alignment between cybersecurity and anti-fraud procedures within finance and AP teams. Organisations are delegating their cybersecurity efforts to an IT or security team while overlooking the vulnerabilities of AP and finance professionals.

“The reality is that, when it comes to cybercrime, AP and finance professionals are the ones who are on the front lines…and many of them are not trained in cybersecurity,” said Ms Hall.

Given their access to sensitive financial information, accountants are among those most frequently targeted by cybercriminals.

According to the Australian Cyber Security Centre, cybercrime costs small accounting practices an average of $39,000 per year while the figures are as high as $88,000 and $62,233 for medium-sized and larger practices, respectively.

Business email compromise scams are often “tailor-made” for accountants, said Ms Hall. In the first half of 2022, alone, the ACCC received reports of 11,395 incidents of business email compromise scams costing a total of $12.3 million.

“A lot of the time, we see financial documents forged with alarming authenticity, they look very realistic and these are usually perpetuated by people who have a really strong understanding of what an accountant’s day-to-day work is like,” said Ms Hall.

The amount of reported false billing scams increased from 27,489 in 2022 to 39,588 in 2023. Over the same period, however, the total amounts lost to those scams only increased from approximately $25 million to $28 million.

When asked about the figures, Ms Hall cautioned against taking cybercrime reports too seriously.

In the past year alone, Eftsure said it had thwarted approximately 50 million attempted frauds among its customer base, marking a “pretty significant increase compared to the previous year.”

Ms Hall added that the amounts lost to these attacks also increased substantially meaning the declining loss amounts are “not completely consistent with what we’ve seen happening on the ground.”

“Businesses, both customers and otherwise, are really, really hesitant to talk about fraud, even fraud attempts. There’s a lot of stigma around being scammed and losing money to fraud,” she added.

In a survey conducted by Eftsure, it was revealed that only 50 per cent of finance leaders who experience fraud said they reported it to their banks and 25 per cent said they were unsure where they reported it.

“It’s hard to know whether [declining loss amounts] are related to people not knowing where to report fraud or else not wanting to report it, especially after the backlash faced by organisations like Medibank and Optus,” said Ms Hall.

While confusion and fear of reputational damage are contributing to underreporting of cybercrime, often it comes down to organisations “having bigger fish to fry.”

“Often, they feel as though the ship has already sailed and then the incentives to report or be transparent diminish a little bit,” she said.

Broader use of developing generative AI is making an already bad situation worse. While it does have some uses in preventing cybercrime – notably in helping flag suspicious activity that might escape human detection – few organisations are taking the steps towards putting in place.

“I definitely think the tech can help – a kind of fire-with-fire. But it’s a matter of organisations updating their control procedures and their tech stacks to reflect that, which we haven’t seen as much,” she explained.

Developments in scams directed towards suppliers and target organisations have been particularly startling, said Ms Hall.

Where previously, scams tended to involve one-off emails requesting, for instance, financial information from a target while pretending to be the supplier organisation, now scammers are investing weeks and even months in building these relationships.

“They’ll sit there orchestrating email chains and communication until they can really get in with an organic request to get someone to click on something or get them to change payment details or authorize a certain payment,” said Ms Hall.

And training can only do so much, she added, citing the example of a finance worker in Hong Kong who flagged an email requesting authorization for payment as suspicious. The worker then video called his co-workers and manager who urged the finance worker to authorize the payment.

“So he authorized it, and it turned out that those were deepfaked videos of his co-workers and managers,” said Ms Hall.

“Even with more awareness around phishing emails and knowing if you get a dodgy email with lots of typos, maybe you should treat it more suspiciously. But what do you do when you get a [fake] video call from your boss asking you to authorize the transaction?”