How scammers target finance teams

Scammers target finance teams
iStock_Hacker_IGphotography
John Stokdyk
Editor
AccountingWEB.co.uk
Share this content

Cybersecurity featured prominently at this year’s Accountex. And since finance managers control the money, they often bear the brunt of phishing scams.

While everyone’s attention is currently fixed on the NHS ransomware outbreak, Simon Vaughan from SafeHack UK warned Accountex visitors last week that a variety of email phishing known as CEO fraud was rated as the top thread to businesses by Europol.

A €100,000 scam that occurred last year at the French company Etna Industrie provides a graphic example. A company accountant received a phone call on a Friday morning informing them that the president was about to send email instructions for a confidential transaction.

“You’re going to have to respond to whatever instructions she gives you,” the accountant was told.

A message duly arrived from an address with CEO Carole Gratzmuller’s name in it, saying the company was in the process of acquiring a new subsidiary in Cyprus.

A barrage of follow-up emails and calls followed, reinforcing the confidentiality and urgency of the transaction - a common tactic in phishing attacks such as this.

“They didn’t give her a moment to sit back and think that this was unusual,” said Gratzmuller.

By noon the finance manager had made €500,000 (£372,000) in wire transfers to foreign bank accounts. Three of the transactions were held up by the company’s banks, but a €100,000 transfer was processed.

With anxiety about cybersecurity on the rise, Simon Vaughan commented: “It is time to make our staff aware of phishing, and train them to respond to these enquiries in a safe manner.  Cyber security is no longer the domain of the IT department. Business needs to get up to speed or risk being left behind with a very large bill.”

The other end of the thread spectrum

Concur also sounding warnings at Accountex about a threat at the other end of the scale: invoice phishing.

The threat here comes in the shape of low value, bogus electronic invoices, according to Concur UK managing director Dafydd Llewellyn.

“They make them look really legitimate. They find employee names who work in organisations to make them look even more authentic,” he said.

The phishers are looking to exploit pre-approval processes that many organisations put in place for low value sums. “As invoices come through, the problem [occurs] where there’s a paper-based process to get them paid,” Llewellyn continued.

“Finance people are busy. They’re getting asked to do more and more things… and don’t necessarily have the time to do all the checks and balances to spot them.

The best way to combat invoice fraud is to automation. Using cloud technology, finance managers can put in more controls and checks to prevent fake invoices getting paid. These can include rosters of approved vendors, mechanisms to check whether an expense has been approved and transaction logs to help the purchase ledger team decide whether an invoice is legitimate or not.

See the full interview with Dafydd Llewellyn at Accountex for more details:

Replies

Please login or register to join the discussion.

avatar
17th May 2017 17:15

I'd like to think that I'd be sufficiently well informed about the goings on within the company that employs me that I'd know exactly what likely to happen well before any payment instructions were made. If an accountant can sit in an office waiting for instructions like this then there's something seriously flawed about the whole company and not just the finance department.

Thanks (1)
21st May 2017 20:27

"The best wat to combat invoice fraud is to automation." Sic.
Does anyone really believe that?
Also you do not need "cloud technology" to put in sound financial controls and procedures. If you are fooled into thinking you do it might not be the only thing you get fooled with!

Thanks (0)