If you work in the Finance Department of your company your email account might already have been hacked in a new scam costing Australian business millions every year

A new type of fraud, often originating offshore, involving the takeover of Finance Department staff’s email accounts, is impacting large and small businesses all over Australia. These frauds are currently costing Australian business tens of millions of dollars annually with individual attacks frequently topping $500k.

The method of this fraud is fundamentally simple. In essence the attacker hacks an organisation to find unpaid invoices. The banking details on these invoices are changed to a bank account which suits the attacker, and the invoices are sent out to victims for payment. The funds are then paid by the victim to the attacker.

How does this work? The fraud often starts with a phishing email to an unprotected internal staff email account. The email account is taken over using malicious software and the attacker then works their way through the organisation’s email accounts. Ultimately the attacker will take over the account of a person in the organisation’s Finance Department. Staff who have copies of unpaid invoices in their email account are prime targets in this type of attack. The attacker will then spend time gathering intelligence. They will read staff member’s emails and take copies of unpaid invoices and other information they need to complete the fraud. Of particular interest are overdue invoices for large amounts. These provide the attacker with human behaviour trigger points which they leverage to finish the fraud.

After the attacker has stolen all of the information they need from the organisation, they will execute the fraud, which is often involves multiple victims simultaneously. The attackers will use the hacked organisations email system to send the victims an email with an invoice containing new banking details. There will be a sense of urgency in the email often reminding the victim the invoice is way overdue. When the victim pays the invoice, the funds are paid to the attacker. At times victims will email the organisation to question the invoice. Attackers plan for this and create rules so only they will see incoming emails from victims.

The result of this fraud is a legal minefield with the hacked organisation still owed the debt and the victim stating they have paid their invoice. Only lawyers and the attackers win in this fraud.

“These frauds will potentially cost Australian business tens of millions of dollars this financial year. The pity is these types of fraud are easy to detect and avoid with some simple changes to internal procedures.”, Director of SECMON1 Christopher McNaughton said.

These types of scams are relatively easy to avoid by businesses implementing some simple processes. When an organisation receives an invoice with updated banking information always verify it in what SECMON1 calls 2Fi® (Two Factor Identification). That means using an independent method to verify the information in the invoice, and particularly the banking information. That could be as simple as phoning the organisation using a verified phone number (Hackers often update the invoice with a phone number they answer)