Cyber Attacks, Phishing & Push App Fraud
Invoice FraudPhishing & Push App Fraud are growing issues. If hackers gain access to vendor data and client lists, they can e-mail clients fake invoices, supposedly from your company. By the time the unsuspecting client realises, the wrong account may well have been paid and funds would have disappeared.
Turning the tables, when you receive invoices by e-mail or through your phone, unsuspecting employees may approve and wire out funds to the hackers inadvertently, leaving you out of pocket.
The best protection is to prohibit all payments via e-mail and instead move all billing to a secure portal capable of processing invoices.
MalwareThe number one source of Cyber Attacks is through e-mail. Malware or viruses may be included in links or file attachments. As cyber criminals grow more sophisticated, some appear to send e-mails from a staff member.
Tip 1 - Check E-Mail Authenticity: Before handling any e-mail check the left side of the @ sign: This should show sender's name, while the right side should show domain. For example John Smith working at ABC.com should show sender as: email@example.com. Let's suppose your company is XYZ. A simple phishing technique would be to place YOUR name/company name left side of the @ sign, for example: XYZ@abc.com or mike(XYZ)@abc.com coupled with the e-mail body suggesting you click on a link, perhaps due to a warning that e-mail quota has been reached or a bill is due. This technique is common as many only skim read sender name. Read the right side of the @ sign carefully. If in doubt contact your IT Support team.
Tip 2 - Never Click Links/Attachments from unknowns: Never click on links or open any attachments from anybody you do not know. Instead hover over a link and type the main domain yourself in a browser, to check its authenticity. It is also advisable for default e-mail settings to block all images.
Tip 3 - Anti-Phishing Security Training: We save live examples of phishing e-mails for this purpose and run Anti-Phishing training sessions for teams. It is our mission to make the internet a safer place. Request Phishing Training
Tip 4 - Switch to Adaptive's Messaging: Speak to Adaptive about our Messaging solution. Why do all staff need external e-mails? Most do not. Reduce the number of e-mail addresses to reduce the attack space. For internal communications and to message suppliers, clients, as well as Adaptive Customer and Tech Support, we provide all clients with our Messaging Module as standard. All users, including suppliers and clients, must login through our secure
Key-Based 2-FA app. All messages are encrypted and it works more efficiently than all major e-mail platforms!
All e-mail tools save a copy of every message in Sent Items. For the first e-mail this is fine. But repeating this for message threads means duplication and then countless hours are wasted clearing out Sent Items. Our Messaging saves the first sent item only, with message threads stored only as threads.
From Our Servers
|The underlying WordPress might be fine but for it to be functional, it relies on 3rd Party Plugins.
Our best guesstimate is these plugin developers care more about profit than security. To-date WordPress and its
plugins have suffered OVER SEVEN THOUSAND VULNERABILITIES and this figure grows at roughly 100/month. It only takes
a single attack to bring a system down.
Here is the evidence. Or visit "cve.mitre.org", click "Search CVE List" and enter WordPress. After search for "Adaptive" and any mention of the word Adaptive relates to other well-known companies.
On a daily basis "bots" scour all servers, to segment which do and do not run WordPress. They search for the WP Admin Login.
|Adaptive offers "home-cooked" food rather than "ready-made" to focus on security, quality, control and facilitate customisation.
|Each client has their own database and unique encryption key. All client data is segregated.
|Key-Based 2-Factor Authentication (2-FA) login, uses a PIN which is never transmitted nor stored and would fail after a few incorrect attempts. The PIN is entered onto a special keypad so keyloggers (malware) could not detect the PIN. Users enter their PIN then click on a matching image - this protects against BOTs, making it close to hack-proof.
|Our login is almost hack-proof, which means all invoices inside the portal are real invoices from genuine vendors. Furthermore, based on known fees and pricing, our systems automatically create shadow supplier invoicing and client invoices, leaving nothing to chance, and as a further level of control, only authorised senior finance staff, can approve outgoing payments.
|Risk-Based Access Controls to handle permissions and system access. We recommend operating on a least-privileged basis.
|There are multiple Internal & External Fraud Risk Controls.
|All client data is segregated. Neither developers nor system administrators have access to client data. System administrators are instead forwarded log files. Only the CEO has write-access. The rationale: Some ransomware attacks occurred as insiders, with knowledge and access shared credentials.
|Our APIs and Plugins each rely on A-Auth (Adaptive Authorization) and numerous additional measures to block malicious intruders.
Mitigate Internal & External Fraud
Reduce internal and external fraud risks through automation. Save on the
significant costs of fraud. Highlight alerts to Compliance, allowing them to
act on evidence, as opposed wading through thousands of data points.
Mitigating Internal Fraud
Internal fraud may occur due to collusion between internal and external staff, or by internal staff alone.
- Fake orders used as a pretext for money laundering
- Fake orders and shell accounts used to wire out funds
- Collusion with suppliers to push up pricing or increase final invoices in return for back-handers
- Inventory mismatches vs. orders
6 Ways Adaptive Mitigates Internal Fraud Risk
|1. Fake Orders & Money Laundering:
|Each order flow is cross-checked in the system to ensure orders, deliveries, inventory and payment flows match, with alerts for unexpected behaviour. A common trick with Money Laundering is to place orders and pay funds, without any delivery. Instead money is cleaned and returned to the Client, minus a cleaning fee. This does not mean every return is flagged but our algo will look for suspicious behaviour and patterns.
|2. Fake Orders & Employee Fraud:
|Using a similar approach staff, with system know-how, could set up fake Clients and Orders through shell companies, cancel orders and have refunds wired out, or receive goods to sell on to 3rd parties. To reduce this risk only authorised staff may onboard new clients and we recommend only Client portals may place Orders but this final check is optional. We also recommend separation of front and back office to ensure Sales have no access to wiring funds and equally finance have no access to placing orders.
|3. Vendor Collusion:
|To mitigate the risk of Vendor Collusion, all vendors register and have their material and labour costs approved before they are accepted into the system. For fixed rate jobs min/max ranges are approved. Prior to any job precise fixed quotes and spare part costs are approved. When a work order is booked, Staff are only shown the 3 cheapest suppliers. The calculation takes into account labour rates, call-out charges, billing increments and all spare parts costs. This prevents Vendors from colluding with internal staff to push up pricing. Checks are adjusted according to industry and your own requirements.
|4. Inventory Mismtaches:
|Staff with system know-how could place fake orders to hide a drop in inventory, while stealing goods in stock. Payments would never arrive. Our integrated system would flag the mismatch. Naturally during production there is always some slippage/wastage - for example a part breaks/human error. A "likelihood" indicator is applied and only events passing a threshold are flagged, to reduce false positives.
|5. Permissions and Controls:
|Only those with permission may authorise and make payments to mitigate wire fraud risks.
|Finance validate commissions independently to ensure no duplicates or over-billing.
Request a demo or consultation