Business Email Compromise (BEC) has been featured as one of the top five scams to watch out for during the Australian Competition and Consumer Commission (ACCC) National Scams Awareness Week (12th – 16th August 2019). Sydney based Fintech company, eftsure, is offering advice to Australian businesses to prevent or minimise the risk from this pervasive online scam, which costs Australians $1 billion a year.
BEC takes advantage of a gap in payment systems and uses social engineering (psychological manipulation through technology) to dupe businesses into believing supplier bank account details have changed. This leads to a payment into the wrong account and an often devastating financial and reputational loss that is extremely difficult, if not impossible, to recover.
eftsure CEO Mike Kontorovich says that the explosive growth in business payments fraud is fuelled by a perfect storm of social engineering, identity fraud and gaps in payment systems.
“Businesses aren’t paying who they think they’re paying," Mr Kontorovich says. "Companies can’t stop using or relying on email, yet antivirus/antispam products are unable to stop most fraudulent emails that originate in 'legitimate' supplier email accounts. Consequently, the problem needs to be addressed where it matters most – at the point of payment.”
BEC scams have advanced into a sophisticated form of social engineering designed to make it impossible to tell the difference between what is fake and what is real, which is made much more difficult because the email is coming from a real supplier's email account.
“The days of sniffing out an email scam are over," Mr Kontorovich says. "There are no typos, no fuzzy logos and no dodgy or 'spoofed' email addresses."
With BEC being one of the faster growing forms of cybercrime, prevention is now the only real solution.
How have BEC scams managed to infiltrate so many businesses and causes such devastating consequences?
- The ease of execution – compromising supplier email accounts en masse has proven to be very easy as all it requires is the ability to convince just one of a supplier’s employees to click on a link
- The difficulty of discerning a fraudulent correspondence from a legitimate one – since the correspondence comes from the real supplier email account on the real email trail which allows the email to almost always be passed by spam.
- The fact it is the supplier’s email account that is compromised, not that of the business being defrauded so no matter how secure a business is, they are exposed by way of their supplier’s lapse of security over which they have no control.
eftsure has designed a unique solution that flags the risk of an incorrect payment before payment is made. Established in 2016 and founded by a team of banking technology and accounting professionals – Mike Kontorovich, Ian Mirels and Mark Chazan - eftsure provides specialised, unique technology to businesses to validate the integrity of their payment data, raising an alarm before payment is made into the wrong account. To date, eftsure has protected over $8 billion in payments in Australia.
As experts in the area of BEC scams, eftsure has offered some tips that can help minimise the risk. The solution is a combination of things that work on prevention:
- Stay Aware – keep up to date with the latest scams - attend cyber events, subscribe to security newsletters – then and ensure your employees, colleagues and trading partners are aware by distributing information regularly on new scams and how they work in practice.
- Ensure security hygiene – now is the time to review your company practices in relation to password and security controls. Never share passwords across multiple sites or permit weak password. Use Multi-Factor Authentication (MFA) which is a two-step authentication of confirming a user’s claimed identity for all systems where available including email.
- Recognise that employee email accounts are gateways to highly sensitive information and attacks and therefore create and enforce policies restricting what information can be kept in email inboxes and for how long it should be kept before securely archiving it.
- Establish and enforce protocols in finance teams. This could include protocols such as separation of duties and independent verification for changes to bank details. Do not trust or rely on emails for bank account changes – any change should be checked via a call back to the supplier using an independently sourced phone number.
- Ensure your systems are all running the latest security patches and configured securely – many ERPs have been subverted due to incorrect configuration or not having been patched to the latest levels
- Use tools to enhance your security. While many systems, such as spam filters and anti-virus software should be employed and can prevent certain attacks, they don’t work with the currently pervasive forms of scams such as BEC scams that use social engineering, rather than technological ‘dark arts’ to deceive people. Nor will this software protect the organisation from insider scams. eftsure has a unique Know your Payee (KYP) platform that provides businesses with rich data on suppliers in real time, before they pay the wrong supplier. This is achieved by verifying the supplier’s BSB and account and raising a red flag if the payment being made does not match. “No one is immune, from small business to large corporations BEC scams are hitting Australia at an alarming rate. These scams are highly sophisticated and financial software systems just can’t keep up. Once payment is made into a fraudulent account it is almost impossible to retrieve,” Mike Kontorovich said.
*source ACIC, www.asic.gov.au
eftsure is dedicated to helping organisations identify and protect themselves against risk and error that occur in the payment process. Our unique Know Your Payee (KYP) solution provide real-time alerts and messaging against broad and accurate payee relationship data. We also assist businesses with verifying supplier data, streamlining their supplier onboarding process and ensuring payee compliance through their Confirmation of Payee (CoP) solution.
eftsure’s Know Your Payee crowd sourced, cloud based, independently verified database of payee information delivers unprecedented insight into your external payee relationships built on the principle that if the depth and accuracy of your payee data is maintained then your organization is better informed and is capable of protecting itself against fraud, error and non-compliance as well as ensuring Best Practice payee relationship management.
eftsure is dedicated to helping organisations identify and protect themselves against risk and error that occurs in the online payment process. Powered by a massive ‘live’, crowd-verified and cloud-based database, our Know Your Payee (KYPTM) solution provide real-time alerts and messaging against broad and accurate payee relationship data. We also assist businesses with verifying supplier data, streamlining their supplier onboarding process and ensuring payee compliance.