Email and other general purpose messaging systems are not special purpose transaction protocols. Finance and accounting processes adopt a range of prophylactic measures to try to reduce the risks of such technologies. However bad actors, whether organized crime, lone-wolves, or increasingly state-supported cadres, interleave their malicious content within legitimate message flows. This places the burden of defence entirely on the message recipient, forcing them to play the odds of whether or not a commercial message is safe or not. We call this invoice roulette.
The risks are manifold.
Are email and WhatsApp dangerous for accountants?
In a recent report, the FBI estimated that business email compromise cost $43 billion.1
Many messaging systems are open to any new senders. In most cases knowing the email or phone number of the target is enough to be able to have a message delivered. The problems with email spam are widely known. Many email clients will warn you if you are communicating with someone outside your group, but the human being in front of the screen, often time-pressured or multi-tasking is faced with the ultimate decision.
But even services such as WhatsApp allows messages to be sent to any phone number. 2
Spam defences work well, but many rely for their effectiveness on the fact that near identical messages are sent to large numbers of recipients.
Being forced to receive messages over such an open system immediately makes you a potential target. 3
Links and Attachments
In many cases the payload representing the invoice data is distributed by either of two methods: directly attached within the email, or accessed via a link in the email body.
Links in email are considered to be more dangerous than links in, for example search results pages. 4
In the case where the data is accessed via a link in the email, the recipient is required to make a judgement about whether or not the link is legitimate. This is made more difficult in situations where the visisble text representing the click zone is perhaps different from the actual destination of the link.
HTML, PDF and DOC Format
The format of the message is most often one of an HTML page, a word-processor format such as doc or a PDF.
Risks arise for the recipient form all of these content types as each may contain harmful executable code. In particular, users may be unaware of the dangers of the PDF format, which is often considered to be uneditable, causing unwarranted trust to be placed on its veracity. Additionally users may not be aware that the PDF format can contain executable code which can run immediately the document is opened. 5
Due to the nature of the work of accountants and finance departments they represent attractive targets for bad actors. 6
It is not uncommon for them to deal with a very wide range of contacts, and staff turnover on the sender side can mean that even when organizations are somewhat stable, the actual names and addresses of human contacts are subject to a certain level of variability.
This means the challenge of identifying messages from valid senders, or of identifying tampered content from valid senders is perpetual. 7
Considering ransomware in particular, as larger businesses have become better defended, the criminals have moved their attention to smaller organizations.8
Not only is the danger real, but it is accelerating rapidly. The FBI reported that exposed losses increased by 65% in the eighteen month period between July 2019 and December 2021. 1
For accounting practices in particular, and in the context of the rush to increase remote access for staff in light of the COVID pandemic, there has been a reported 300% increase in cyberattacks.9
According to the UK government, 39% of businesses in 2022 had identified a cyber attack in the preceding twelve months. 10
The consequences of cyber breach are well known. There is of course the actual loss itself. Then there is the damage to commercial relationships, particularly in cases where payment details have been forged: the buyer and seller may dispute which party is actually at fault. Then there are remediation costs in terms of additional work to be done in terms of investigation and additional defensive measures. Should the cyber breach become public there is reputational damage, and in some cases there is also the risk of fines from regulators where it is found that compliance was inadequate. 11
There is a double whammy of danger for accountants. On the one hand the techology tools and processes with which they are required to work are those most convenient ffor bad actors and on the other, the nature of the work itself - the handling of large amounts of money - is one of the most attracive to criminals.
To a certain extent, for sellers, outbound invoicing activity is a fire-and-forget type of activity: any security problems which arise downstream for the customer are the customer’s problem. For all the reasons listed above, receiving an invoice can be a risky activity for the customer, hence invoice roulette.
This type of dynamic will, in time be solved by the market. Buyers will come to prefer sellers who offer secure and customer-friendly transaction messaging.
But it is also the job of government to maintain a business environment which enjoys the confidence of all participants, both domestic and international. And insurance companies which underwrite cyber risks will also exert pressure in the form of higher premiums or lower cover for those businesses which choose less secure working methods over more secure.