Cyber-crime goes into overdrive
Updated: Jul 6, 2020
Over the past 3 weeks I have heard of two small businesses suffering from Invoice fraud, neither of which was straightforward. You might think your own processes are robust enough to spot a fraudulent invoice, but both examples circumvented the usual controls in the accounts payable departments.
First was an email from an existing supplier stating their bank details had changed, providing the new details. Turns out an email address at the supplier had been hi-jacked. This resulted in a six-figure sum being paid into the scammer’s bank account.
The second scam at the height of the pandemic was an email sent to the accounts department at a healthcare company, made to look like it was from their CEO, asking for an urgent invoice payment for PPE. The ‘from’ email address had been carefully created to look like the CEO’s address, and it passed the checks of two accounting department employees. The invoices were paid resulting in tens of thousands being lost.
These highlight the need for two essential cyber-security controls:
Use two-factor authentication on your email address – especially if you are in a senior position in the company – otherwise you could be exposed to impersonation. Usually with hi-jacked email addresses the hacker has access for some time, learning the pattern of emails and the way they are worded, before the fraud is launched. 2FA (or MFA) prevents others from accessing your account should they guess – or steal – your password.
Staff training Whilst accounts staff need particular training on how to spot a ‘phishing’ email, ideally all employees should be made aware of the need to be “cyber secure”. There is some very good, engaging online training available from our business partners.
You could also go all the way and get Cyber Essentials certified. This will include the measures described above in a comprehensive, government-approved suit of controls. Qualify for the “mark” to display on your website and publicity material to show your customers you care about cyber-security. EP can arrange the controls and certification for you, leaving you free to grow your business.