Watch out for fake invoices
Published 11:39 pm Thursday, October 25, 2018
The FBI recently alerted the U.S. business community about an increasing number of attacks against payroll, personnel and accounts payable operations. The efforts are quite sophisticated: the bad guys present fraudulent invoices via email or USPS. The invoices appear to be from legitimate companies, but the payment delivery address or electronic payment submission process has been forged. Similarly, with many companies moving to direct deposit for payroll, the attackers are going after employees’ direct deposit information.
Below, I describe two of the most prevalent attacks and how to avoid them.
The financial diversion attack is a clever way to trick employees into divulging sensitive account information, with the goal of diverting electronic payment elsewhere, often the employee’s own direct deposit.
Cybercriminals often attack businesses for a variety of reasons. Chiefly, large businesses are often complex, presenting opportunity for weak administrative systems to be exploited. Small businesses are not complex. The owner-managers often juggle numerous tasks and errors are common, presenting abundant opportunity for well-crafted attacks to be successful.
Cybercriminals target employees through phishing emails designed to capture their login credentials. Once the cybercriminal has obtained the username and password, the credentials are used to access payroll or financial aid accounts in order to change the bank account information. Rules are added by the cybercriminal to the victim’s email account preventing the user from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which is often a prepaid card or banking institution outside of the reach of the U.S. government.
Avoiding becoming a victim of a financial diversion attack isn’t easy. Below, I offer some basic suggestions for awareness and a few preventative measures.
• Hover your cursor over hyperlinks included in emails to view the actual URL. Ensure the URL is actually related to or associated with your business or partner, supplier. If the URL looks odd or peculiar, contact the group directly.
• Refrain from supplying log-in credentials or personally identifying information in response to any email. This sounds obvious, but people often provide usernames and passwords via email even when they know they shouldn’t. Often, a sense of urgency is presented in the messages and they feel the need to respond.
• Forward suspicious requests for personal information to the information technology or human resources department. If you are a small business and don’t have these support options, carefully review the contents of the message or mailing. Always contact the company directly if you feel uncomfortable.
• Ensure that log-in credentials used for payroll and other banking purposes differ from those used for other purposes, such as social media accounts. Don’t use the same passwords for every service. If you use the same password for your banking information as your Facebook account, change one of the passwords now!
Business email compromise (BEC) is a growing financial fraud that is more sophisticated than any similar scam that law enforcement has seen before. Furthermore, these types of scams have resulted in actual and attempted losses of more than $1 billion to businesses worldwide, according to FBI statistics.
Instead of making a payment to a trusted supplier, the scammers direct payment to their own accounts. Sometimes they succeed at this by switching a trusted bank account number by substitution or masquerading the account number with crafty tricks, such as hidden graphics or redirection. The criminals have become experts at imitating invoices and accounts. When a wire transfer happens, the window of time to identify the fraud and recover the funds before they are moved out of reach is extremely short.
To avoid becoming a victim of a business email compromise, follow the suggestions below.
• Verify changes in vendor payment location and confirm requests for transfer of funds, whether the invoice is received by email or other means. Double-check any request to send payment elsewhere or alter payment method from a known vendor.
• Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked. If a supplier submits an invoice from a Hotmail or Gmail account, contact the company directly and ask if the invoice is real.
• Be careful when posting financial and personal information to social media and business websites, doing so provides a treasure of information for the would-be thief. Oversharing is a huge problem with social media networks – the information allows the attacker to create a more credible hoax.
• Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to act quickly. This is the most common aspect of a fraudulent attack: urgency. The email message will suggest bad consequences if payment isn’t remitted immediately. Pause and review all urgent requests for payment.
• Consider financial security procedures that include a two-step verification process for wire transfer payments. If your bank offers multi-factor authentication or two-step authentication for accessing accounts online and conducting money transfers, enable those now. Doing so will create another barrier to the would-be thief.
As always, a healthy dose of skepticism and paranoia will serve you well – watch out for those scams!
William Greg Price is the Chief Technology and Security officer for Troy University and the Director of the Alabama Computer Forensics Institute. He currently represents District 2 on the Pike County Board of Education.