It was just another week in March when the bookkeeper sat down to pay suppliers for the Sydney-based company. However, as the bookkeeper entered payment details for $50,000 worth of invoices, a hacker was lying in wait. The hacker had changed numbers on the invoices and every invoice was paid to dummy accounts.
Luckily for the business, the bank was able to reverse the funds transfers, says Tom Cavanagh, a lawyer from Wotton and Kearney who specialises in cyber and data security.
(Pictured: Tom Cavanagh)
Cyber-attacks are rife among Australian SMEs, which faced a blistering 200,000 ransomware attacks in April and May last year, more than any other country in the world apart from Japan.
Ransomware, fake invoices and email scams can cost an average of $1.9 million a hit for companies with 100 to 500 employees, according to a recent survey of 600 IT decisionmakers by internet security company Webroot.
These are only direct costs and don’t include reputational damage. In February, the Notifiable Data Breach Scheme will force companies to report cyber attacks to their customers and business partners.
Security is no longer just the IT department’s problem. Hackers regularly target finance teams for obvious reasons. Every employee is a potential entry point for a hacker to access internal systems. So what’s the answer? This checklist from Murray Goldschmidt, CEO of Sense of Security, and Tom Cavanagh provides helpful hints to protect your internal finance team.
(Pictured: Murray Goldschmidt)
1. Be observant
Sometimes the simplest checks are best. Your finance team should always ask: “Is there anything suspicious about this email?” Giveaways of phishing emails (fake emails) are spelling mistakes or a missing or incomplete signature. If the sender is not known, always check the email header to see the server domain of the sender. Sender names and email addresses are easily faked. And if unsure, links should not be clicked on.
2. Check social requests
Double-check connection requests on LinkedIn. If the name, occupation and location is not familiar to you, then reconsider whether to accept. It may be flattering to amass a large social following, but this is also a first step to infiltrating your company.
When you connect to someone on LinkedIn, they can see your email address by default (this can be switched off). Most software uses the business email address as the username, so a hacker now has half the login details. If an employee is using a password at work they use in their personal accounts, they are very susceptible to a hack. For example, Yahoo reveals that hackers have gained access to most passwords of its three billion accounts. A hacker can search the stolen database, match the name, get the password and with the email address on LinkedIn they can use your account.
A first-level LinkedIn connection can also search your contacts for the name of the CFO or other key personnel. Targeted attacks, where fake emails are addressed to targets by name, are called spear-phishing and can be very effective.
3. Improve your business processes
What is one way to check that the urgent invoice from your CEO asking to pay $100,000 immediately is legit? Pick up the phone and call to confirm. Even if they are travelling.
Clever hackers will monitor the CEO’s movements and send money transfer requests just before they board an international flight. A hacker can add “I can’t attend to this because I’m overseas” to give context, which adds legitimacy to the request.
It doesn’t take much to confirm with the CEO via a quick text message to their mobile. If it’s a large amount, then make the phone call and get verbal confirmation. It is possible to spoof SMS messages, but nearly impossible to fake a spoken conversation. If you want to take it to Jason Bourne crime fictional levels, add a codeword to prove they are not held under duress. A second pair of eyes on transactions will also increase the chance of spotting a suspicious error.
4. Call suppliers to confirm new invoices
Create a policy for the finance team to call new suppliers before they pay the first invoice. Don’t call the number on the invoice itself: hackers are very enterprising and can pay someone to act as a receptionist. Even if the email address, email signature and logo appear to be genuine, the phone number may be fake. Look it up online and make sure you’re on the correct website. The supplier should be listed in Google Maps or other directories.
5. Use an e-invoice service
One way to eliminate fake invoices is to use a third party to authenticate them. Link4 takes invoices from one accounting program such as MYOB and automatically enters the details in a different program such as Xero or QuickBooks Online. The service requires the supplier and the customer to sign up separately. Once connected, the supplier can send invoices directly into the customer’s accounting software.
Xero has created an internal network for sending and receiving invoices from two companies on Xero by using a network key to validate the connection. If the finance team knows that all invoices for that supplier appear automatically in Xero, then any invoice from that supplier appearing in an email should automatically be treated as suspicious.
6. Use multiple signatories for bank transfers
Remember when we used cheques? Businesses often required two signatories to withdraw money. The same process should be followed for online banking. Many banks can set up safeguards for two authorisers to approve payments over a certain amount. Newer banks such as Tyro are more sophisticated in permissions. When the finance team makes payments, Tyro automatically notifies the business owner or manager with an alert on their mobile phone. They then swipe to approve each invoice directly.
7. Use multi-factor authentication
Multi-factor or two-step authentication should be a mandatory policy – definitely on your online banking and accounting software, but also on business software you use regularly. It usually involves sending a time-sensitive SMS code or using an authentication app on your mobile phone.
Some banks still use dedicated tokens to provide the second piece of authentication. These little gadgets attach to your keyring and display a randomly generated number to supplement your password.
8. Don’t rely on default protection
Cloud productivity software is better protected than the desktop equivalent, because it has anti-virus scanning built in. Any email sent through Microsoft Office 365 or Google G Suite is checked to see whether it is carrying malicious code and if it is – it will block access to the attachment. However, companies shouldn’t rely on these default settings.
“Standard anti-virus is so useless, it’s as good as having nothing at all,” says Goldschmidt. A phishing email may contain a link which directs the receiver to download a file from a website directly. For a few dollars a month per employee, you can buy security software that will download attachments into a “sandbox”. The software checks the attachment and only gives access if it is free of malware.
9. Continuous validation through simulations
It is good practice to train your staff to recognise phishing emails and other cyber-security attacks. It is better practice to continuously validate how well they follow the recommendations. One subscription service simulates a phishing campaign by sending one fake email a week to your finance team. The emails look genuine, but if an employee clicks on it, the email displays a message explaining it was against policy to do so or a reminder that these types of emails are dangerous.
10. Monitor staff behaviour changes
“There is evidence that the social behaviour of a person in the two to three weeks leading up to their resignation changes dramatically,” says Goldschmidt. The volume of email may increase or decrease, or the frequency of logins to a particular website may alter. That employee could be planning on taking company secrets with them.
Another red flag is when a hacker obtains the identity of a legitimate employee and infiltrates the corporate network. Behavioural software flags the activities of the fake employee as suspicious because they are different to the usual pattern. Consider installing apps that analyse employee behaviour. Apps such as Blindspotter, Veriato and Splunk use algorithms to detect changes and altert IT staff.
This article was first published in Acuity magazine.