The director of a Queensland workwear business who was the victim of a cyber attack says banks should do more to ensure fraudulent accounts aren’t opened by cyber criminals, after having supplier account details changed so scammers could fleece $76,000 in payments.
The Brisbane store of safety wear brand Totally Workwear had its accounting system compromised in October last year, but the business only recently found out about the situation after a creditor told them there was a problem with their invoice payment.
“We didn’t find out about it until we got calls from creditors who didn’t get paid,” the store’s director James Hogan tells SmartCompany.
“Only then we found out there had been a cyber attack.”
The criminals appear to have infiltrated the store’s accounting software, changing the banking details on around five of the company’s 80 to 90 suppliers, Hogan says.
This resulted in more than $70,000 in payments being made to incorrect accounts.
Hogan says insurance covered the business for most of the damage, but it was still left out of pocket around $10,000 in gap charges, with the banks unable to recover the lost funds.
He says the process of reporting the cyber crime was frustrating, with banks unable to provide details of where the funds had actually been sent.
“We contacted our bank NAB, and they sent out a recall notice to Westpac and the Commonwealth Bank [where the accounts were held],” he explains.
“It took them weeks to come back, and when they did come back, they said, we can’t reveal the client.”
Hogan says the banks need to be held to account around their practices for stopping cybercriminals, suggesting some institutions might not be doing proper identity checks and allowing criminals to set up local accounts to collect funds from cyber scams.
“The banks are probably not doing a hundred-point check for the accounts, they need to be brought to account,” he says.
The business also reported the fraud to the Australian Cyber Crime Online Reporting Network (ACORN), Hogan says, but he believes the platform could be more user-friendly for businesses wanting to report cyber attacks.
“You can only report things through the [ACORN] website and it’s a very laborious process,” Hogan says.
Hogan says other businesses should stay vigilant to these attacks, given how difficult they are to detect.
One supplier had notified the business that the wrong details had been listed for their payment, which resulted in the business being able to stop one payment related to the cyber crime.
However, at that point, the retailer simply thought it was a mistake, rather than a symptom of a cyber attack.
“We didn’t think twice about — we thought it was just an error,” Hogan says.
The business is now working with its IT provider to develop a notification program so any changes made to banking details in its systems throw up a warning message.
Real-time payments to make fraud detection more challenging
Melbourne practice manager at Hack Labs, Michael McKinnon, tells SmartCompany attacks of this nature are common, with both businesses and banks finding them tricky to detect.
“I’ve heard of stories where the bank’s fraud team have contacted a business and asked to check, ‘are these details correct?’,” McKinnon says.
“The problem is that by this stage, the accounts system has already been compromised.”
This means the bank will read the BSB and account number back to the accounts team, but because the fraudulent number is already in the accounts system, it looks on the surface like no error has been made, he says.
McKinnon believes the banks are doing all they can to track fraudulent payments, but observes that the move to real-time payments in Australia this year will pose a new challenge for detecting these kinds of scams.
“We’re using to a model this year where the transfers will happen almost instantaneously, and this can create an additional burden for the banks. Transactions will [be settled] much more rapidly.”
For small business operators, the key lesson is to ensure you are diligent if the bank ever does contact with an irregular transaction.
“The default response is to go, ‘everything’s fine here, surely it can’t be us’,” McKinnon says.
However, if something doesn’t look right in your accounts details, “business owners need to take advice to heart and do everything they can to get to the bottom of it”.