Technology

Brisbane retailer warns other businesses to be vigilant after being hit with $76,000 cyber crime

Emma Koehn /

The director of a Queensland workwear business who was the victim of a cyber attack says banks should do more to ensure fraudulent accounts aren’t opened by cyber criminals, after having supplier account details changed so scammers could fleece $76,000 in payments.

The Brisbane store of safety wear brand Totally Workwear had its accounting system compromised in October last year, but the business only recently found out about the situation after a creditor told them there was a problem with their invoice payment.

“We didn’t find out about it until we got calls from creditors who didn’t get paid,” the store’s director James Hogan tells SmartCompany.

“Only then we found out there had been a cyber attack.”

The criminals appear to have infiltrated the store’s accounting software, changing the banking details on around five of the company’s 80 to 90 suppliers, Hogan says.

This resulted in more than $70,000 in payments being made to incorrect accounts.

Hogan says insurance covered the business for most of the damage, but it was still left out of pocket around $10,000 in gap charges, with the banks unable to recover the lost funds.

He says the process of reporting the cyber crime was frustrating, with banks unable to provide details of where the funds had actually been sent.

We contacted our bank NAB, and they sent out a recall notice to Westpac and the Commonwealth Bank [where the accounts were held],” he explains. 

“It took them weeks to come back, and when they did come back, they said, we can’t reveal the client.”

Hogan says the banks need to be held to account around their practices for stopping cybercriminals, suggesting some institutions might not be doing proper identity checks and allowing criminals to set up local accounts to collect funds from cyber scams.

The banks are probably not doing a hundred-point check for the accounts, they need to be brought to account,” he says. 

The business also reported the fraud to the Australian Cyber Crime Online Reporting Network (ACORN), Hogan says, but he believes the platform could be more user-friendly for businesses wanting to report cyber attacks.

“You can only report things through the [ACORN] website and it’s a very laborious process,” Hogan says.

Hogan says other businesses should stay vigilant to these attacks, given how difficult they are to detect.

One supplier had notified the business that the wrong details had been listed for their payment, which resulted in the business being able to stop one payment related to the cyber crime.

However, at that point, the retailer simply thought it was a mistake, rather than a symptom of a cyber attack.

We didn’t think twice about — we thought it was just an error,” Hogan says. 

The business is now working with its IT provider to develop a notification program so any changes made to banking details in its systems throw up a warning message.

Real-time payments to make fraud detection more challenging

Melbourne practice manager at Hack Labs, Michael McKinnon, tells SmartCompany attacks of this nature are common, with both businesses and banks finding them tricky to detect.

“I’ve heard of stories where the bank’s fraud team have contacted a business and asked to check, ‘are these details correct?’,” McKinnon says.

“The problem is that by this stage, the accounts system has already been compromised.”

This means the bank will read the BSB and account number back to the accounts team, but because the fraudulent number is already in the accounts system, it looks on the surface like no error has been made, he says.

McKinnon believes the banks are doing all they can to track fraudulent payments, but observes that the move to real-time payments in Australia this year will pose a new challenge for detecting these kinds of scams.

We’re using to a model this year where the transfers will happen almost instantaneously, and this can create an additional burden for the banks. Transactions will [be settled] much more rapidly.” 

For small business operators, the key lesson is to ensure you are diligent if the bank ever does contact with an irregular transaction.

The default response is to go, ‘everything’s fine here, surely it can’t be us’,” McKinnon says. 

However, if something doesn’t look right in your accounts details, “business owners need to take advice to heart and do everything they can to get to the bottom of it”.

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on TwitterFacebookLinkedIn and Instagram.

Advertisement
Emma Koehn

Emma Koehn is SmartCompany's senior journalist.

We Recommend

FROM AROUND THE WEB

  • haydn

    If Westpac and the Commonwealth Bank have said “we can’t reveal the client”, then one must ask why. If it’s been deposited into a corporate client’s account, then there’s no reason why but if it’s gone into an individual’s account, then the Privacy Act provisions would apply but by doing nothing, these two banks are aiding and abetting a crime and so there’s an opening to make a claim for compensation on them through their EDR provider (Financial Ombudsman Service Ltd). However, wonder if either even bothered to report this to matter to AUSTRAC (especially CommBank, given its previous shortcomings)? They would certainly be interested.

    • Garry

      If its the same issue as the MYOB problem then its not the banks problem its a problem that’s caused by the “Cloud” nature of the accounting product.

  • Garry

    The big question is which accounting system?
    I am aware that MYOB have been working their bums off to cover up that their AccountRight 201?.?? products have this vulnerability but would be interested to hear if its one of the other “Cloud” Accounting products with the same issue.

    • haydn

      I wasn’t aware of this accounting system issue but the article alludes to the account details being changed. Imo, as the transfer of funds was perpetrated by a crime, the unwillingness of the two banks to provide the details of account(s) into which the money was transferred or do something (such as reporting the matter to the Police Fraud Squad or Austrac) is nothing short of despicable. The Police could easily do something under a Proceeds of Crimes Act.

      • Garry

        As I said has nothing to do with banks because the security of your accounting data has nothing to do with them.
        With the MYOB “Cloud” product the issue was to do with lax security (problem with cloud stuff) which enabled crooks to log directly on to the MYOB accounting file, go the card (suppliers, employees, customer lists) for any supplier they wanted & change the BSB & Account No. directly in the MYOB file without anyone knowing it had changed.
        Then when people did a payment run in MYOB, it just used the account details on file for the supplier you were paying.
        IMO parties responsible are the idiots claiming the “Cloud” was safer than the old fashion local network file, IE MYOB, Accountants IT People etc etc , and whoever was responsible for the lax security.
        That said only course of action is for the business owner to report the matter to police who will go to the banks with warrants for info and I would argue if it is MYOB, tell the IT co to bugger off developing an ineffective patch for MYOB & find someone who can downgrade the “Cloud” system back to the much safer & more secure “Classic” version of MYOB.