Cybersecurity featured prominently at this year’s Accountex. And since finance managers control the money, they often bear the brunt of phishing scams.
While everyone’s attention is currently fixed on the NHS ransomware outbreak, Simon Vaughan from SafeHack UK warned Accountex visitors last week that a variety of email phishing known as CEO fraud was rated as the top thread to businesses by Europol.
A €100,000 scam that occurred last year at the French company Etna Industrie provides a graphic example. A company accountant received a phone call on a Friday morning informing them that the president was about to send email instructions for a confidential transaction.
“You’re going to have to respond to whatever instructions she gives you,” the accountant was told.
A message duly arrived from an address with CEO Carole Gratzmuller’s name in it, saying the company was in the process of acquiring a new subsidiary in Cyprus.
A barrage of follow-up emails and calls followed, reinforcing the confidentiality and urgency of the transaction - a common tactic in phishing attacks such as this.
“They didn’t give her a moment to sit back and think that this was unusual,” said Gratzmuller.
By noon the finance manager had made €500,000 (£372,000) in wire transfers to foreign bank accounts. Three of the transactions were held up by the company’s banks, but a €100,000 transfer was processed.
With anxiety about cybersecurity on the rise, Simon Vaughan commented: “It is time to make our staff aware of phishing, and train them to respond to these enquiries in a safe manner. Cyber security is no longer the domain of the IT department. Business needs to get up to speed or risk being left behind with a very large bill.”
The other end of the thread spectrum
Concur also sounding warnings at Accountex about a threat at the other end of the scale: invoice phishing.
The threat here comes in the shape of low value, bogus electronic invoices, according to Concur UK managing director Dafydd Llewellyn.
“They make them look really legitimate. They find employee names who work in organisations to make them look even more authentic,” he said.
The phishers are looking to exploit pre-approval processes that many organisations put in place for low value sums. “As invoices come through, the problem [occurs] where there’s a paper-based process to get them paid,” Llewellyn continued.
“Finance people are busy. They’re getting asked to do more and more things… and don’t necessarily have the time to do all the checks and balances to spot them.
The best way to combat invoice fraud is to automation. Using cloud technology, finance managers can put in more controls and checks to prevent fake invoices getting paid. These can include rosters of approved vendors, mechanisms to check whether an expense has been approved and transaction logs to help the purchase ledger team decide whether an invoice is legitimate or not.
See the full interview with Dafydd Llewellyn at Accountex for more details: