Data breaches ‘nitrous oxide’ for scams, businesses warned
A series of high-profile data breaches in recent months has accelerated scam activity for businesses, with finance teams on the frontline, a security software firm warns.
Cyber attacks impacting major companies in recent months including Optus, Medibank and Latitude Financial has led to a significant uptick in scams targeting businesses and accounts payable teams, according to Eftsure.
Eftsure chief growth officer Gavin Levinsohn said criminal networks have been leveraging the personal information obtained through these data breaches to create sophisticated payment scams between businesses and their suppliers.
“These data breaches, such as Optus, Medibank, Latitude Financial and I’m not going to be wrong in predicting there’s going to be more, are nitrous oxide, they are an accelerant for the volume and efficacy of scams. It means the fraudsters are now better at impersonating people,” said Mr Levinsohn.
Business email compromise is currently the most common method being used by fraudsters to target businesses, he said.
“That’s where the business is being impersonated by a fraudster to another business, likely their customer and they attempt to dupe a financial decision maker or accounts payable person into making a wrong payment,” he stated.
“This type of scam is growing every year. There are other payment diversion scams which are also growing. You sometimes see executive compromise and sometimes employees impersonated but the gorilla is still business email compromise”.
AI tools such as Chat GPT are also making it more efficient for criminals to leverage stolen data on the dark web and deploy schemes, according to Mr Levinsohn.
While it would be time consuming for scammers to manually populate and enrich data across millions of records, cyber criminals are using AI tools such as ChatGPT to write the python script code to enable them to extract data from the web more efficiently, he said.
“That’s how these criminals are enriching data across 11.2 million records,” he said.
Strategies for managing the threats
Mr Levinsohn said it is critical that chief financial officers and financial controllers work more closely as the threats continue to rise in this space.
“We need to bring the cyber and finance worlds more closely together. Finance needs to take some responsibility for cyber security strategy, they need to be closer to the CTO,” he said.
Inside the finance function of the business, there are five things that can be done.
“The first one is training and culture. Your staff need to know what to look for and these scams are changing all the time. There’s lots of free resources available on the internet including government entities and newsletters to help you keep up to date with what’s coming for you” said Mr Levinsohn.
“On culture, we speak about having a high shame threshold and what we mean by that is that within both finance teams and the broader company, you need to create a culture where people feel okay to say, ‘I’ve clicked on the wrong link or should I click on this or I’ve left my phone in a cab’ without fear of embarrassment or retribution.”
Policies and procedure is another key area.
“You need to keep your policies and procedures alive. One thing we often flag is staff exists, people often leave the business and then for years afterwards they still have access to applications,” he said.
Mr Levinsohn also recommends that finance leaders stress test their systems.
“This could involve sending a fake invoice to the accounts payable team, send some goods that have no purchase order attached,” he said.
As the world gets more complex and the threats become more digital, businesses may also need more digital tools to help protect against scams.
Phone calls can still be an effective defence against many types of scams as well, he said, but they need to be done in a specific way for them to have an effect.
“Every auditor is now telling their client that they should implement callback controls,” he stated.
About the author
