Why cyber-crims walk in when chaos reigns at banks
The collapse of SVB last week means more requests to change account details – and more opportunities for digital fraud.
The recent collapse of Silicon Valley Bank – the biggest US bank failure since the 2008 financial crisis – has created huge uncertainty throughout the banking system. Although US federal leaders have stepped in to try and thwart a domino effect, there are still risks that Australian organisations need to keep in mind.
Those include heightened risks around cybercrime and fraud. As companies shift to ostensibly less risky banks, cybercriminals will look to capitalise on the chaos by duping accounts payable teams into paying fraudulent accounts.
Why does the SVB failure increase cyber risks?
Before federal intervention, state regulators had already closed a second bank, Signature Bank of New York. It’s unclear whether there will be further tumult, although federal authorities have moved to protect depositors.
Even in a best-case scenario, there’s a good chance that organisations will see more requests to change supplier account details. This creates fertile ground for fraud attempts.
Cybercriminals tend to see chaos as an open door. Even when operations are simply a little busier than normal – for example, during the end of the financial year – fraudsters try to take advantage of stressed, distracted AP employees. This is also why fraudsters sometimes target employees who are about to go on leave. We’re all more likely to slip up or skip a step in a financial control process when we’re busy or frazzled.
The overall banking turbulence simply makes account change requests more plausible. Staff might be less likely to scrutinise such requests if they see headlines that prime them to expect changes to bank account details.
Keep safe despite uncertainty
Finance professionals should be on high alert around any account detail change requests. Here are a few rules of thumb:
- Remember that anything coming through email needs to be verified, and don’t perform checks by email.
- Verification questions should never assume that the other party is trustworthy. Fraudsters can intercept phone calls performed for verification purposes. Don’t call and ask the other party to confirm that their details have changed, ask them what their details have changed to.
- Don’t trust phone numbers listed on invoices or email chains, since these can also be manipulated by fraudsters.
The sudden collapse of SVB is the sort of black swan event that underscores the importance of a financial control and cybercrime strategy. It’s a good time to take stock of internal controls and ask yourself whether they’re aligned with your organisation’s cybersecurity measures.
Siloes between IT and finance can create gaps that cybercriminals like to exploit. Plugging those gaps helps keep your team and finances safe regardless of what’s happening outside your organisation.
Gerard Mondaca is community security manager at Eftsure.
