Spotting fake invoice scams – think twice before you pay that invoice!

Posted by Geraldine Hunt on Mon, Sep 11th, 2017

CEO Fraud is a scam where cybercriminals spoof company email accounts and impersonate executives to try to get an employee in accounting or finance to authorize wire transfers, or send out confidential tax information. These are termed 'Executive Whaling'  attacks, they are sophisticated and hyper-targeted phishing attacks targeting top executives. Personalization and in-depth knowledge of the executive are the hallmarks of this type of fraud.  According to the FBI, these business email compromise scams have accounted for more than $5 billion in losses to December 2018, with more than 24,000 victims reporting incidents worldwide. Would you take the risk of paying an invoice without checking its validity?  

Here are some examples of phishing emails that threaten your business:

• You receive a fishy-looking request to click on a link that is “interesting”. These emails are normally sent to thousands of accounts. Clicking on the link may download malware to your PC that saves the information you type into your PC, including usernames and passwords to websites and company applications.
• You receive an email that appears to be an official communication from your bank. It can include your personal or business name, instructing you to click on a link to complete some urgent task. This link brings up a fake website that looks very much like the banks. When you enter username and password, this information is saved by cybercriminals to use later, transferring money from your account.
• You receive an email from your boss, asking you to execute a wire transfer to a reputable firm.

Hold on, should I be suspicious of that email from my boss? Yes, always think twice before you pay that invoice or transfer funds!

Recent fake invoice scams

• 2019 is likely to see losses increase further as the rate of BEC attacks increase. Last week,  Scott County Schools in Kentucky announced that it was the victim of a major BEC attack that resulted in a loss of $3.7 million. This was a typical invoice scam where the school was notified that an invoice was outstanding, the school duly paid the fake invoice. Once the fact this was a wire fraud incident, the FBI was contacted, and attempts were made to recover the funds. Initially, it was it is unclear whether it will be possible to recover the money. Just today it was confirmed that the school district in Kentucky recovered the $3.7 million stolen by the hacker in this cyber wire fraud scam.Galloway Township Public Schools, a New Jersey public school district, lost $200,000 in an incident involving a wire transfer scam.
• Another major BEC scam occurred at  St. Ambrose Catholic Parish in Brunswick, Ohio. The church was a victim of a BEC attack that resulted in the fraudulent transfer of $1.75 million from the Church’s renovation fund.
• Xoom Corporation is an international payment transfer organization based in the U.S. Xoom reported an incident where spoofed emails were sent to their finance department resulting in the transfer of $30.8 million to scammers. 
• Ubiquiti Networks is a wireless networking technology company also based in the U.S. The company reported a BEC attack targeting both general employees and executives. This scam resulted in the transfer of $46.7 million to the scammers' bank accounts.

$5 billion lost due to phishing and BEC scams

 

Previously we highlighted the Scoular case was highly targeted phishing emails can be, The Scoular Co. lost $17.2 million in June 2014 as a result of phishing. Details of the case illuminate some of the warning signs of a phishing attack. Scoular has international business interests, and wire transfers are frequently used. So it did not raise a red flag when Scoular’s controller received an email to wire $780,000 to a Chinese bank. The email purportedly was sent by the CEO (it wasn’t). The money was to be wired to a real bank, Shanghai Pudong Development Bank. The controller transferred the money. 

The next day he received a second email to wire $7 million dollars and to contact his auditing firm for details on sending the money. He then received those details (unsolicited) in email fashioned to look like it came from the auditors.

One of the emails read, “I need you to take care of this. For the last months, we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company. ... This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”  

The third and final email received three days later requested an additional $9.4 million. During the investigation of the affair, the controller told the FBI that he “was not suspicious of the three wire transfer requests’ because there was an element of truth to all of it”. Needless to say, the controller was fired from Scoular.

What went wrong?

Phishers are preying on human nature. They collect information about your business from many sources:

• Public sources such as the web. Google your business name to see what is available. You may be surprised at the sensitivity of some of the data.
• People who work or worked for your company or for your vendors or customers. 
• Your computer network. The phishers or their accomplices may have broken into your network and gathered confidential information.

In the case of Scoular, the phisher knew the name of their auditors and was aware that the company was pursuing interests in China. Phishers tend to start small and then escalate their requests with each success. Their first request in the Scoular case was for $780,000; their last was for $9.7 million.

How to protect against a phishing attack

Trust your first impressions of the email and consider the following:

• Are the tone, grammar, and language appropriate for the sender?
• Does the email sound like it was translated from a foreign language?
• Does it ask for “urgent” or “immediate” action, particularly involving financial transactions?
• Does it sound too good to be true? Then it usually is.
• Does it detail a "Confidential" or "Private" request?
• Was it sent from an email address that the sender does not usually use? Be aware, however, that the "from" address in an email can be faked. Do not assume that if it comes from a known address that it is legitimate.
• Does the email involve foreign companies or individuals?
• Does the email request confidential business or personal information such as Social Security numbers, bank details, or usernames and passwords?

If the message is suspicious, there are some steps you can take:

• Do not click on any links in the email.
• Hover your mouse over any links in the email. If you know what the real links should be, such as for a frequent customer or vendor, compare the real link to the link in the email.
• Google any companies, individuals, addresses, and phone numbers in the message. Look at more than the official company website; flashy websites can be set up quickly.
• Do not use “reply” to answer a suspicious email from a known entity. Instead, create a new email and use the address in your address book, not from the received message.
• Tell other people in your company about the phishing email you received. Knowledge is power!

What is the easiest way to check if an email represents phishing? Use another communication method such as the telephone or snail mail. But do not use the address or telephone numbers in the email. Google the real company website or obtain the real phone number from online white pages or yellow pages. Otherwise, you could be contacting the phishers!

Avoiding phishing in the first place

Phishing attacks aren't just increasing, they're evolving. Email is the #1 delivery vehicle for most malware (not just ransomware) Use advanced spam and malware protection that provides phishing protection. A solution like SpamTitan will block phishing emails before they reach your network. 

In addition, the FBI recommends the following:

• Businesses should adopt two-step or two-factor authentication for email.
• Be cautious when posting information about employee activities on your web site or social media. Phishers can comb these sites for information to make their emails appear more real.
• Put a process in place where multiple approvals are required for overseas wire transfers.
• Train your employees to be aware of internet safety. 

Training employees to recognize phishing attempts is vitally important, but thanks to the increasing sophistication of targeted phishing attacks, raising awareness alone isn't enough. Companies need to invest in strong anti-spam and anti-phishing security technology that protect their employees. 

Due to the sophisticated nature of advanced persistent threats via email, SpamTitan’s latest release now includes a sandboxing feature and anti-spoofing layers. SpamTitan sandboxing protects against breaches and data loss from zero-day threats and sophisticated email attacks by providing a powerful environment to run in-depth, sophisticated analysis of unknown or suspicious programs and files. SpamTitan sandboxing will protect against malware, spear-phishing, advanced persistent threats (APTs) and malicious URLs, offering insight into new threats and helping mitigate risks.