On the 16th of August 2016, Brisbane City Council admitted that it had lost over $450,000 to criminals who assumed the identity of a legitimate supplier (a waste contractor), advised the council to change the account that payments were made to, and then sent through invoices which were subsequently paid. Townsville council lost $300,000 to the same criminals, and other councils in Queensland were also targeted. Whilst this fraud appears to be very sophisticated in that the criminals used publicly available tender documents to plan the attack and targeted multiple councils at the same time, it still follows the standard pattern we see in these cases:
- An organisation is targeted, and the criminals find out who within the organisation makes payments to suppliers
- Access is gained to a supplier’s email via a phishing attack, or a fake email domain is set up that will pass at a glance
- The criminals email and/or phone the organisation pretending to be the supplier and persuade them to change the bank account where funds are to be paid. Sometimes a PDF of a deposit slip (that has been amended) is used to create a level of confidence
- Legitimate invoices are sent through by the supplier
- The organisation pays them to the amended bank account
- Eventually, the supplier wonders why they aren’t being paid and contacts the organisation
- The fraud is discovered
- The money is gone
There are a few variants to this scheme
- C-suite fraud – the email comes from the CEO, CFO etc and asks for a payment to be made (usually to a foreign bank account). Despite this type of fraud being widely publicised, firms still fall for it
- Client fraud – the email and payment instructions appear to have come from a client. Once again these can be sophisticated, especially if the client’s email account has been compromised
- Seller fraud – the email appears to have come from the seller’s lawyer (or the seller) in a real estate transaction, with an amended bank account
Fortunately, there is an easy way to protect yourself and your organisation:
- Always confirm any internal payment requests by phone or in person – not by email. If a criminal has compromised an email account (or created a fake email address) they will reply to any emailed queries and will try to convince you that the request is genuine
- If you receive any request (by email or phone) to change a bank account that you pay funds to then confirm that the request is genuine by calling (not emailing) the supplier/client back, using a number you already have (not the number in the email). If dealing with an organisation, call their main number (not a mobile) and speak to someone you know
- If you are setting up payment details for a new supplier, or for a new client, then once again confirm that the request is genuine by calling (not emailing) the supplier/client back, using a number you already have (not the number in the email)
- Educate your staff to be aware of the risks, and to follow good practice. Make sure that they feel comfortable querying payment requests or asking for confirmation – especially if the request is internal
- If you are an owner or in a similar position of authority you should lead by example. Follow the process you have put in place, and be happy if staff query when they are unsure, or ask you to confirm a request – it means they are being careful
If you create payment policies that include the above elements, your risk of being a victim of fraud is considerably reduced. And the only investment is time.
If you’d like to learn more about how to secure your firm against cybercriminals, using both technology and training, then please get in touch.