Blog

False billing scams involve targeted hacking of businesses, with criminals using email to abuse trust in business processes to scam organisations out of money or goods. These hackers impersonate business representatives using similar names, domains and/or fraudulent logos as a legitimate organisation or by using compromised email accounts and pretending to be a trusted co-worker or supplier.

Costs and Frequency

There are a range of false billing scams, but the most common type was payment redirection scams, known as business email compromise (BEC) scams with 1,300 reports and $14 million in losses in 2020.

According to the ACCC website Scamwatch, small and micro businesses accounted for almost 60% of these false billing reports, with the average loss of around $11,000.  Some businesses reporting losses of up to $200,000.

StrataMax regularly sees these types of scams across our client base. Most are unsuccessful due to our client’s vigilance and use of our software but some still manage to sneak through. In these cases the chances of recovery are usually quite low due to the quick movement of money through a network of comprised bank accounts.

Variants

General phishing attacks

Phishing is one of most widespread forms of cyberattack.  The attacker pretends to be a real person or business that the receiver would normally transact with which makes the request plausible.  These fraudulent acts are common practice in the high-tech world of business today, with access to information readily available on social media and your own company websites.  Here the attacker uses this information and spoofs your identity to defraud you, your employees, customers or partners, of money. 

Man-in-the-middle attacks

These involve the hacker being able to compromise the email account and intercept the invoices being received by the strata manager. They then spoof the suppliers’ invoice, altering the bank account details and then send on to the strata manager with the compromised email account making it look like it has come from the supplier with new bank account details.  These invoices are paid, thinking they are paying the supplier, but unwittingly sending that money to the hackers’ bank account.

Most of the time these hackers have a number of compromised bank accounts in their control through previous hacking efforts or through purchasing access to them on the dark web. They can then use a network of compromised accounts to move the money and avoid interception.   In these cases, it is very difficult for banks to recall the funds once the payment has been made, and this is the reason the attackers use this method. 

Internal Fraud

Internal fraud or Employee fraud is more common than most businesses think.  Fraudulent activity is mainly motivated by opportunity and involves staff doctoring existing invoices or creating a new dummy invoice from scratch and submitting it for payment directly or via their accounting/strata software to their own or associated account.

Protecting against Fraud

Safeguarding your business from fraudulent attacks is imperative in todays technology focused world.  While you can’t always prevent fraud from happening, you can take steps to protect your systems and limit exposure to potential fraud and scams.

Lock down your systems and technology

Supplier Account and BSB

If possible, your strata management software should provide separate security settings for this.  StrataMax maintains all bank account and BPay details within Creditor Maintenance with access to specific fields restricted with StrataMax Security.  StrataMax also recommends only allowing access to this area of the program to appropriate team members for entering and editing of these details.

Monitor and Confirm Changes

To avoid falling victim to hacking scams, strata managers should ensure that any change of bank account details on invoices is double checked with the supplier by telephone before transferring large amounts of money. 

StrataMax will notify the user of this prior to authorisation and allow them to inspect the original invoice attached to the transaction

Also, be aware of invoices that arrive in your inbox at the end of the day, as these are less likely to be looked at in the short-term and this opens up an opportunity, giving the hackers time to analyse and manipulate the details. 

Segregation of duties

Internal and external fraud is a big issue for any organisation, with cyber-security and fraud prevention considered to be two of the top five issues facing businesses today.  Fraud can potentially do the most damage to your bottom line.

The easier it is to spot anomalies in financial processes will ultimately help prevent fraud.  Having separate staff in the office responsible for each step in the accounts process can help this, by ensuring that one person does not have the ability to make a payment from beginning to end.  The entering of invoices, authorising of invoices and paying of invoices where possible should be performed by different people.

Internal Controls

Creating processes and policies that are efficient and secure generate an enhanced workflow to reduce the risk of hackers getting through your system. 

Simple processes should clearly define who is responsible for;

• Ordering of goods and services
• Entering of invoices
• Authorising invoices
• Validating changes in bank accounts
• Payment of invoices.

It is imperative that a clear message of the internal and external controls is communicated to all staff involved in any aspect of the accounting system in your business.  Staff need to have a clear understanding of their own role and how their activities relate to the activities of others and the associated risks.

On top of a clear message to your staff, strengthen your IT security by protecting your networks.  Simple steps of developing and maintaining proper security controls could include configuring your server to reject emails from unapproved senders and using strong multi-factor authentication to prevent scammers using login details.

Preventing any form of cybercrime comes down to both parties in a transaction having sufficient processes in place.  Failing to implement precautionary measures increases your risks to losses due to being hacked and the associated liability.