Fake Zoom Invite exposes gap in controls

24 November 2020

Yesterday the Australian Financial Review published an article about how the click of a single malicious Zoom meeting invite by a principal of Levitas Capital put $8m at risk, the actual loss of hundreds of thousands of dollars and ultimately lead to the collapse of the business after a key investor lost faith and stopped a significant capital transfer.

That single, simple click on the link of the fake Zoom meeting invitation inserted Malware into the fund managers network, granting the fraudsters access to the fund’s manager’s email account.

Without the fund manager knowing, the fraudster than weaponised the account by using it to “authorise” the funds’ trustees (AET Corporate Trust) to make payments to companies set-up by the fraudster.

While the ultimate destruction of the fund originated with a seemingly innocuous yet deceptive single click, what was really alarming is the failure of the manual payment controls to detect and prevent the transfer of the funds to the fraudsters

In another example, the ABC reported a case where in May, Jane Flemming arranged to pay $51,000 to a subcontractor she had worked with for almost a decade, making countless payments to him in that time. A couple of days after Jane transferred the funds, the supplier called Jane’s husband, asking where his money was. Jane told her husband that the supplier had changed his bank accounts and that was when the penny dropped – they’d been scammed.

The suppliers outbox shows he had sent the invoice to Jane at 4:56pm on a Friday — but it didn’t appear in Jane’s inbox until 7:30am on the Saturday.

According to associate dean for computing and security at Edith Cowan University, associate professor Paul Haskell-Dowland, someone had gained access to either persons computer, and was waiting for an opportunity like this.

Most companies’ payment controls are not nearly as good as they believe them to be. They are, after all, manual, relying on people that can be duped and processes that can be subverted by an ever changing sophisticated adversary.

Amplifying the risks further is the dispersion of finance teams to their homes, where control measures are harder to maintain.

“We know companies do have controls in place including: segregation of duties, anti virus, spam filters, ERP software and call-backs – all of which are very important. Unfortunately however, these alone are still not sufficient as the organisations’ often underestimate the nuance and sophistication required to continually and systematically detect and prevent fraud. Consequently over time, they inevitably miss something that leads to potentially catastrophic results for the organisation.” Says Mark Chazan, Chief Technical Officer & Co-founder eftsure

Companies should be looking to enhance their financial controls in a multitude of ways including cybercrime awareness, security hygiene, disciplined vendor management and certainly through technology.

eftsure’s is one such technology. Their multi-role, cloud-based solution provides real-time fraud alerts at both the point vendor onboarding and point of payment. It’s use would have prevented the fraud and avoided the losses of the above.

Australian Property Markets News and eftsure invite you to a Webinar to discuss how to enhance internal controls to avoid such a situation occurring.

Webinar 27 November 12:30 PM (AEDT)

The webinar will cover;

  • The perfect storm for cybercrime to beat internal controls
  • A deconstructing of the $8 Million Levitas Capital scam
  • How eftsure’s solution prevents fraud and avoids financials loss What vendor management efficiency, compliance and security gains eftsure provides its customers

Register Here

If you have missed the event, contact us at info@propertymarkets.news for access to the Webinar content.