Organizations are losing thousands—and sometimes millions—of dollars from invoice fraud, which is also known as Business Email Compromise (BEC). At TrustedSec, we have seen a marked uptick in panicked, embarrassed, and/or angry folks reaching out to us for Incident Response and forensics work following a scam. Sometimes, organizations are able to recover some or all of the loss, but oftentimes not.
What is it?
Invoice fraud is a situation where a criminal poses as a vendor to scam an employee into wiring huge sums of money to their account, which has a similar name or service as a legitimate vendor. Sometimes the scammer doesn’t have to convince anyone else to do it, as they are so far embedded into the target’s systems that they can simply do it themselves. Typically, though, the scam is conducted when the attacker compromises a legitimate business email account through social engineering and sends either phony invoices to be paid or real invoices with altered bank account information.
To increase the chance for success, the scammer could research important or relevant employees who manage money. They could then use the appropriate industry language and follow the typical actions specific to the company they are targeting. From there, they can request a fraudulent transfer using dollar amounts that are comparable to other expenditures to lend legitimacy to their actions in hopes that they’ll be able to slide the transaction right through without anyone noticing.
Who is a target?
Companies of all sizes are being targeted. However, smaller organizations that can’t afford the losses and have never been attacked in this way in the past suffer the most. Often these companies have avoided the historical malware disruption or ransomware attacks that made the news over the past few years, so they’re completely caught off guard. It’s not just the small companies, though, as even Google and Facebook got tricked out of $122 million through this attack method (the attacker was prosecuted in March 2019). The criminal groups that carry out these attacks are organized and extremely sophisticated, using a well-tested formula for success.
How are they doing it?
A few of the most common ways organized crime groups can deceive victims are:
- Email compromise of an actual account due to either password re-use or from a man-in-the-middle (MitM) type of attack. These can often be the worst ones because the attackers can email the financial folks from a legitimate account. They can also make use of an email chain from a past correspondence, appearing totally authentic—but with different banking information. The attackers can even set up hidden forwarding and deletion email rules, so the victim never even sees any of the communications, making it that much more difficult to detect.
- Email Spoofing. Spoofing is when an email appears as though it was sent from a legitimate account or address. The criminals will create almost unnoticeable changes on the true addresses like using “l” for “i” (they look fairly similar when scanned quickly) or will use ABC Corp. vs ABC Inc. (referred to as domain squatting). Also, they will change or add emails similar to legitimate ones, such as adding in a letter like “speachrite.com” vs. “speechrite.com.” The hacker doesn’t even need to have access to an established account, as they have created their own. They will then direct those responses to their own account or registered domain, and impersonate an executive making a request to pay a bill or transfer money—when in fact it is completely fake.
- Using malware to hack into an account. Malicious software can be used to potentially gain full access to an organization. Spyware, for example, hides in the background and allows the attacker to view financial email threads, such as which accounts are owed money or have invoices that are about to come due. They can also view calendars to see when an executive is on vacation or otherwise wouldn’t be following their normal pattern, such as verifying money transfers. Thus, the attacker has a greater likelihood of success. In one case TrustedSec has investigated, an attacker installed malware all over an organization, figured out who the financial payers were, and then called the people on the phone to get them to log in to the site so the credentials were captured in real-time—including their multi-factor authentication (MFA) codes.
- Spear phishing executives or those in finance/accounting. Spear phishing is when hackers send fake emails to targeted people with common characteristics. They are sent to request confidential information that the criminal can use to remotely view login passwords and other bank account information. Once the attackers have this information, they can sometimes simply transfer the money themselves without ever having to involve anyone in the organization.
More sophisticated attackers will do a two-pronged approach to hide their tracks. We have seen an attempted distributed denial-of-service (DDoS) attack used to distract the IT team from the real target, which was the transfer of millions of dollars into a separate account. Smaller organizations may be unable to understand what happened, but in larger accounts, the processes may be so complicated that the left hand doesn’t know what the right hand is doing. Even more disturbing, most of the time they don’t need to take it this far, since the other methods have already succeeded. In any event, criminals are testing the boundaries of defensive capabilities.
What types of services help organizations to be proactive?
- Security Program Assessment – There are many methods of attack for a criminal. A Security Program Assessment will give an organization a holistic look at the entire environment to ensure nothing falls through the cracks by reviewing data flows and controls with a prioritized roadmap of recommendations.
- Incident Response Program Review – When an organization needs a more focused review of those policies and procedures relating to an incident, an Incident Response program review can be very valuable. An effective Incident Response program consists of many elements, all of which are interdependent to ensure there is the least adverse effect on the organization as possible.
- Table-Top Exercises – Like any other process or procedure, an Incident Response plan should be a living document that is periodically tested and revised to meet current needs. A Table-Top Exercise is a simulated real-world situation led by a facilitator, where the organization can interact with, and react to, events as they unfold in a classroom-style setting.
- Security Awareness Training – Since employees are often targeted for these types of attacks (and others), it is important that they understand their role in protecting data and systems, as well as the threats they face. This is particularly true in invoice fraud as education and process changes can be the difference between enduring an illegal transfer or stopping it before it gains traction.
What can be done now?
While individuals are fairly well-protected when it comes to fraudulent transfers from their bank accounts, that’s not the case for small businesses. Therefore, it is important to work with the bank to understand the limits available and their processes and procedures to detect fraud.
General best practices are to inform employees about how this type of fraud is done, change passwords often and not reuse passwords (especially on privileged accounts), make sure there are two (2) people that are required for fund transfers, and use only one (1) computer for wire transfers or other monetary transactions.
Prevention mechanisms include using MFA which is also called two-factor authentication (2FA), that is becoming more and more prevalent. It basically means an attacker would need multiple forms of credentials from different systems—i.e., they have to have both a stored password and a one-time number generated outside of the computer system, likely to a phone. A second mechanism is to use a domain squatting detection service to receive a notification when a similar or slightly altered domain is created.
Another best practice is to set up a procedure where an organization receives a notification any time there is a change in a billing request or wire transfer process. As part of the process, it is important to then call the payee for voice verification, which takes it out of the email-only method that hackers are able to see. This is, in essence, another form of MFA. More simply, organizations could use the same controls that they would for checks and traditional accounting verification as is done online. For example, organizations could modify their wire transfer process such that any changes must be approved by more than one (1) person (such as the CFO and the person requesting the change)—again, this should be over the phone and not via email.
What if you’ve just been hit?
If you should fall victim to this attack, TrustedSec recommends that the first call should be to the bank to get a wire recall reversing the transfer, if possible. The second call should be to law enforcement, the third to the insurance company (if applicable), and the fourth to an Incident Response firm, such as TrustedSec. The FBI also “encourages all individuals who believe they have fallen victim to a scam to report it to the FBI using www.IC3.gov. These reports help the FBI to investigate individuals and groups who are committing these crimes and are essential to the FBI’s investigations.” Certainly, organizations will always want to keep all messages and other evidence from the incident, as these attacks continue to have a pervasive impact. Following these steps and insuring as much information as possible is available will assist in the likelihood of having some form of recompense.
Author: Stephen Marchewitz
Stephen has been in the security and risk industry for over 13 years and in IT for over 20 years. He has assisted companies in driving change to ensure clients are successful both in receiving value from products and services as well as managing the security and compliance risks of new projects and technologies. He’s served as an outsourced Chief Information Security Officer for a dozen different companies and consulted to some of the largest companies in the world. Prior to joining TrustedSec, Stephen was the Global Risk Practice Manager in the Digital Transformation Group at Cisco, President and Advisory Practice Lead for a leading information security firm for nine years, a Management Consultant with Ernst & Young, held Technology Management and sales positions with CA and Oracle, and developed new offerings in the insurance industry as an Underwriter and Program Director with Willis Coroon/Chubb in underwriting risk. He is dedicated to helping customers implement the right solutions and services that best meet their business needs, thus allowing them to achieve new levels of success.