PC PORTAL

Experienced. Trusted. Solutions.

spam

By

From the BH Consulting archives: fake invoicing scams are a constant security risk

Trawling through archives can quickly turn bittersweet when it hits home how little has changed between past and present. Looking back through the posts on BHconsulting.ie, invoice redirect scams have featured regularly since 2015. Fast forward to 2019: An Garda Siochana warned that this fraud cost Irish businesses almost €4.5 million this year. The global costs are even more sobering – but more of that later.

Back in 2015, we reported the Irish Central Bank was fleeced to the tune of €32,000. This fraud was a growing trend even then. Our blog quoted Brian Honan’s Twitter account: “Looks like a fake invoice scam we’ve seen with other clients”. The same post also referred to Ryanair, which was duped around the same time and reportedly lost around €4.5 million.

The impersonation game

Scams like this have many names, like CEO fraud, invoice redirection fraud, or business email compromise. Preventing them from being successful is about knowing how they work and spotting potential red flags. Brian blogged about this in December 2015, detailing scammers’ steps when executing CEO fraud and fake invoicing tricks.

“The premise of the attack is the criminals impersonate the CEO, or other senior manager, in an organisation (note some attacks impersonate a supplier to the targeted company). The criminals may do this by either hijacking the email account of the CEO or setting up fake email accounts to impersonate the CEO.”

Next, criminals send an email seeming to come from the CEO to a staff member with access to the company’s financial systems. The email will request that payment be made to a new supplier into a bank account under the criminals’ control. Alternatively, the email may claim the banking details for an existing supplier have changed and will request payments into a new bank account under the criminals’ control.

Video to beat the scam

In February 2017, we blogged about an educational video that Barclays Bank developed to raise awareness of fake invoicing and similar online scams.

 

Later that same year, we covered the issue again, twice in quick succession. The first of these posts, in August 2017, noted how legitimate email senders do themselves no favours by composing messages that “practically begged to be treated” as fakes. A genuine email from a large insurer was so poorly composed that it would have raised suspicion with anyone who’d been paying attention during security awareness training.

The process problem

Now we’re getting to the heart of the problem. Call it what you want, but this scam is a people and process failure. That was our conclusion from another post in August 2017, after news emerged of yet another victim in Ireland. “The effectiveness of an email scam like CEO fraud relies on one person in the target organisation having the means and the opportunity to make payments. It’s not a security problem that technology alone can fix.”

In the same blog, we noted how the FBI has been tracking this scam since 2013. The agency put collective losses between then and August 2017 at an eye-watering $5 billion. As we blogged then, ways to fix this issue don’t necessarily need to involve technical controls. For example, companies could make it compulsory to have a second signatory whenever they need to make payments over the value of a certain amount.

The risk of these frauds goes beyond just commercial businesses. As we noted in a blog from October 2017, local public sector authorities are also potential victims. The post referred to Meath County Council, which had €4.3 million stolen from it in a dummy invoicefraud.

Staying ahead of the fraudsters

Our August blog included FBI special agent Martin Licciardo’s very practical advice: “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”

This brings us neatly back to 2015, where we provided similar advice to avoid falling victim to fake invoice scams. The steps include:

  • Ensure staff use secure and unique passwords for accessing their email
  • Ensure staff regularly change their passwords for their email accounts
  • Where possible, implement two factor authentication to access email accounts, particularly when accessing web-based email accounts
  • Have agreed procedures on how requests for payments can be made and how those requests are authorised. Consider using alternative means of communication, such as a phone call to trusted numbers, to confirm any requests received via email
  • Be suspicious of any emails requesting payments urgently or requiring secrecy
  • Implement technical controls to detect and block email phishing, spam, or spoofed emails
  • Update computers, smartphones, and tablets with the latest software and install up-to-date and effective anti-virus software. Criminals will look to compromise devices with malicious software in order to steal the login credentials for accounts such as email accounts
  • Provide effective security awareness training for staff.

The post From the BH Consulting archives: fake invoicing scams are a constant security risk appeared first on BH Consulting.

By

More cod than phishing: why business email compromise is a bigger risk than you think

Email scams and social engineering attacks are a huge security risk. When we describe security incidents that involve criminals scamming individuals or businesses out of money, security professionals often use terms like “CEO fraud”, “fake boss scams”, or “impersonation fraud” and “business email compromise” interchangeably for convenience. But there’s a case for treating business email compromise as a specific threat that deserves special attention.

Let’s put this into context. Phishing scams in general, and CEO fraud in particular, have the same goals: to convince you that the sender is genuine and then to trick you into doing something they want. Wombat Security’s State of the Phish 2019 report showed the scale of the risk. It surveyed almost 15,000 infosec professionals and found that almost all said the rate of phishing email incidents grew or stayed the same as last year. Last year, 83 per cent said they experienced phishing, up from 76 per cent in 2017.

The Wombat report said that attacks have one of three impacts on victims: credential compromise, malware infections and data loss. Credential compromise increased by more than 70 per cent since 2017, becoming the most commonly experienced impact in 2018. As Wombat noted, this is worrying because multiple services often sit behind a single password. Reports of data loss grew more than threefold since 2016. All three impacts have grown since 2016.

Won’t get fooled again

After analysing over a billion emails daily, Proofpoint concluded that attackers increasingly focus attention on people, rather than technical defences. “Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain, and even our time constraints to persuade us to click,” its report said.

Before scammers get to the serious business of extracting our money or making us download malware, scam emails have to pass the smell test by seeming legitimate (if it smells of ‘phish’ it probably is a ‘phish’). Most of them do this with simple spoofing techniques. They might involve misspelling the company name in a fake email domain or amending the email address slightly so it appears normal but is sent somewhere else. These tricks rely on people being so busy that they don’t spot the difference. The fake just needs to be good enough to fool the naked eye, and maybe also be smart enough to get past a basic email gateway.

But here’s where I believe there’s a distinction with business email compromise that many people are missing. Email spoofing is one thing, but what if an attacker actually took control of your email account? Think about the impact of that for a moment. An email account is the source of so much data about a person, it’s the proverbial keys to the kingdom.

Email has all the trappings of how we “speak” virtually to our contacts, from introductions (“Dear valued customer”), to signoffs (“Best wishes, Dave”). That’s a goldmine for any attacker who wants a foolproof way of impersonating someone and copy your style and email writing tone. From a business point of view, an email account will have contact details for clients and colleagues ready to hand.

A day in the life

Think of the potential damage to business relationships. How long would it take to send damaging emails to destroy your credibility, your career, or even your company? The attacker is no longer just impersonating you – as far as the email proves, they are you. And you, as the victim might not even realise you’ve been compromised right away. An attacker who takes over your account could send stealthy emails to a manager or customer and then delete all traces of it from the ‘sent items’ folder. Imagine if they found an old message with company product plans or sales prospects; where might that end up?

And that’s not all; think for a moment how much information your email account has on all of your other activities, from utility bills to records of purchases. Email’s tentacles reach into so many parts of our digital lives.

For just about every online service we use, where do all the password resets go? That’s right, to your email account.

Password honey pot

There are two misconceptions to put right here. We might not fully value the security of our email account. We might also mistakenly assume that someone else is looking after it and keeping it secure – especially in these days of cloud services. But you know what they say about assumptions! For individual accounts, changing to a strong password, passphrase, or better yet multi-factor authentication (where something like a text message can be used to authenticate your access), will at least strengthen the protection.

In my experience, many companies just use cloud-based email with default settings. Instead, they should tailor the level of security to their risk. The potential impact from true business email compromise is so damaging that there is a strong argument for making companies focus attention on protecting their email above all other systems. There are plenty of security controls to help do this, from two-factor authentication to data loss prevention, and security awareness training. An attacker only has to get lucky once, as the old security saying goes. And if one finds their way in, you might as well switch off the lights on your way out.

The post More cod than phishing: why business email compromise is a bigger risk than you think appeared first on BH Consulting.