Rather than attempt to hack user credentials and gain access to Accounts Payable applications, hackers are now impersonating the CFO and obtaining all the detail they need to launch a scam.
In a decidedly smart move, hackers are now shifting tactics to make it easier to build a list of potential victims to defraud through false wire transfers. Traditionally, this is accomplished by hacking into the AR application from company “A”, and then phishing the AP department in company “B” to trick them into modifying banking details to a hacker-controlled bank account.
In a new twist, hackers impersonate the CFO of company A and request an updated aging report together – a list of outstanding invoices – complete with up-to-date contact details for each of the customers that had unpaid overdue invoices.
So, without needing to do little more than pretend to be the CFO via email, hackers are handed a list of their potential victims. The next stage in the attack would be to pretend to be the AR department in company A and send each of the individuals identified in the aging report asking them to pay their invoice and use new banking details.
Organizations need to have processes in place whenever any kind of information is requested relating to payments – whether those that need to be paid or those that should be received. Hackers are constantly looking for new ways to extract this information to use for their own purposes.
Putting Security Awareness Training in place helps to educate users in these departments about scams that target financial data, details, and transactions. It’s imperative that anyone touching any part of an organization’s financials should continually undergo this form of training to avoid exposing the company to risk of fraud and theft.