TitanHQ Blog

Spotting fake invoice scams – think twice before you pay that invoice!

Posted by Geraldine Hunt on Mon, Sep 11th, 2017

CEO Fraud is a scam where cybercriminals spoof company email accounts and impersonate executives to try to get an employee in accounting or finance to authorize wire transfers, or send out confidential tax information. These are termed 'Executive Whaling'  attacks, they are sophiciated and  hyper targeted  phihsing attacks targeting top executives. Personalization and indept knowledge of the executive are the hallmarks of this type of fraud.  According to the FBI, these business email compromise scams have accounted for more than $5 billion in losses between October 2013 and December 2016, with more than 24,000 victims reporting incidents worldwide. Would you take the risk of paying an invoice without checking its validity?  

Here are some examples of phishing emails that threaten your business:

  • You receive a fishy-looking request to click on a link that is “interesting”. These emails are normally sent to thousands of accounts. Clicking on the link may download malware to your PC that saves information you type into your PC, including usernames and passwords to websites and company applications.
  • You receive an email that appears to be an official communication from your bank. It can include your personal or business name, instructing you to click on a link to complete some urgent task. This link brings up a fake website that looks very much like the bank’s. When you enter username and password, this information is saved by cybercriminals to use later, transferring money from your account.
  • You receive an email from your boss, asking you to execute a wire transfer to a reputable firm.

Hold on, should I be suspicious of that email from my boss? Yes, always think twice before you pay that invoice or transfer funds!

Recent fake invoice scams

Just last year such a scam was attempted at a medium-sized French company called Etna Industrie. The firm, which employs 50 people was the victim of a specialised email phishing attack dubbed CEO fraud.

According to an interview  CEO Carole Gratzmullter gave with BBC "My accountant was called on Friday morning. Someone said: 'You're going to get an email from the president, and she's going to give you instructions to conduct a very confidential transaction and you're going to have to respond to whatever instructions she gives you'."

The accountant was then emailed from an address with Ms Gratzmuller's name in it, saying Etna Industrie was buying a company in Cyprus.The email said the accountant was going to get a phone call from a consultant working with a lawyer, who would then give her instructions as to where to transfer the money."Everything happened between 9 and 10 o'clock," says Ms Gratzmuller. "The accountant probably got about 10 emails in that time and three or four different phone calls.

The fraudsters pressured her into acting quickly, without thinking - a standard feature of this type of phishing fraud."They didn't give her a moment to sit back and think that this was unusual," she says.

Before noon the accountant had authorised wire transfers totalling €500,000 (£372,000; $542,000) to foreign bank accounts.Luckily for Etna Industrie, three of the wire transfers were held up by the banks, but one for €100,000 went through.

$5 billion lost due to phishing and BEC scams

In a post earlier this year we highlighted the Scoular case where highly targeted  phishing emails can be, The Scoular Co. lost $17.2 million in June 2014 as a result of phishing. Details of the case illuminate some of the warning signs of a phishing attack. Scoular has international business interests, and wire transfers are frequently used. So it did not raise a red flag when Scoular’s controller received an email to wire $780,000 to a Chinese bank. The email purportedly was sent by the CEO (it wasn’t). The money was to be wired to a real bank, Shanghai Pudong Development Bank. The controller transferred the money. 

The next day he received a second email to wire $7 million dollars and to contact his auditing firm for details on sending the money. He then received those details (unsolicited) in email fashioned to look like it came from the auditors.

One of the emails read, “I need you to take care of this. For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company. ... This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”  

The third and final email received three days later requested an additional $9.4 million. During the investigation of the affair, the controller told the FBI that he “’was not suspicious of the three wire transfer requests’ because there was an element of truth to all of it”. Needless to say, the controller was fired from Scoular.

What went wrong?

Phishers are preying on human nature. They collect information about your business from many sources:

  • Public sources such as the web. Google your business name to see what is available. You may be surprised at the sensitivity of some of the data.
  • People who work or worked for your company or for your vendors or customers. 
  • Your computer network. The phishers or their accomplices may have broken into your network and gathered confidential information.

In the case of Scoular, the phisher knew the name of their auditors and was aware that the company was pursuing interests in China. Phishers tend to start small and then escalate their requests with each success. Their first request in the Scoular case was for $780,000; their last was for $9.7 million.

A phishing attack averted

As reported by Krebs Security, an employee at another company requesting anonymity received an email requesting a wire transfer of $315,000. She thought the amount was higher than normal, and the email sounded more formal than she would expect from her CFO boss. She did a little checking and found that “the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name”. The account used to send the email was also not the CFO’s. She did not wire the money. This employee still has her job.

How to protect against phishing

Trust your first impressions of the email and consider the following:

  • Are the tone, grammar, and language appropriate for the sender?
  • Does the email sound like it was translated from a foreign language?
  • Does it ask for “urgent” or “immediate” action, particularly involving financial transactions?
  • Does it sound too good to be true? Then it usually is.
  • Does it detail a "Confidential" or "Private" request?
  • Was it sent from an email address that the sender does not usually use? Be aware, however, that the "from" address in an email can be faked. Do not assume that if it comes from a known address that it is legitimate.
  • Does the email involve foreign companies or individuals?
  • Does the email request confidential business or personal information such as Social Security numbers, bank details, or usernames and passwords?

If the message is suspicious, there are some steps you can take:

  • Do not click on any links in the email.
  • Hover your mouse over any links in the email. If you know what the real links should be, such as for a frequent customer or vendor, compare the real link to the link in the email.
  • Google any companies, individuals, addresses, and phone numbers in the message. Look at more than the official company website; flashy websites can be set up quickly.
  • Do not use “reply” to answer a suspicious email from a known entity. Instead, create a new email and use the address in your address book, not from the received message.
  • Tell other people in your company about the phishing email you received. Knowledge is power!

What is the easiest way to check if an email represents phishing? Use another communication method such as the telephone or snail mail. But do not use the address or telephone numbers in the email. Google the real company website or obtain the real phone number from online white pages or yellow pages. Otherwise, you could be contacting the phishers!

Avoiding phishing in the first place

Phishing attacks aren't just increasing, they're also evolving. Email is the #1 delivery vehicle for most malware (not just  ransomware) Use advanced spam and malware protection that provides phishing protection. A solution like SpamTitan will block phishing emails before they reach your network. 

In addition, the FBI recommends the following:

  • Businesses should adopt two-step or two-factor authentication for email.
  • Be cautious when posting information about employee activities on your web site or social media. Phishers can comb these sites for information to make their emails appear more real.
  • Put a process in place where multiple approvals are required for overseas wire transfers.
  • Train your employees to be aware of internet safety. 

Training employees to recognize phishing attempts is vitally important, but thanks to the increasing sophistication of targeted  phishiing attacks, raising awareness alone isn't enough. Companies need to invest in strong anti spam and anti phishing security technology that protect their employees. 

Try SpamTitan to block these spam and phishing emails from ever reaching your users inboxes. Sign up for a FREE SpamTitan trial today.

Never Miss a Blog Post

Sign-up for email updates...

Start Free Trial Request Demo

Need Help Ordering?

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us