NetSafe routinely receives reports from New Zealand companies about fake or spoofed email requests for payments to be made to bank accounts or via money transfer services. Often these requests can be accompanied by fake or modified invoices from known suppliers.
The volume of these business email scam reports has increased over the last 18 months with three different common formats becoming known as ‘Business Email Compromise’ (BEC).
The scam can affect any size business that handles ordering, invoicing and payment requests via email and where staff may make assumptions about the identity and authenticity of requests received.
Messages can be of a random nature, sent out en masse as part of a large spam mailing or can form part of a well crafted social engineering campaign to extract money after attackers have ‘footprinted’ an organisation, gleaning useful information from websites, compromised email accounts or from social media sites including staff profiles on LinkedIn.
A determined attacker may also attempt to identify staff by phone, asking to speak with an individual or attempting to confirm name, email address or sometimes job title claiming that they are working for an IT support business or another well known company. When asked what the purpose is, they won’t give any information such as their own phone number, name or where they are ringing from.
How does business email compromise work?
In some cases, cybercriminals may target an organisation and look for information that identifies accounts staff and business executives, perhaps on a public website. They may send messages pretending to be a manager and demanding an urgent payment be sent whilst they are overseas or requesting a transaction be kept confidential.
They may take the time to compromise a business email account and read the contents to make their own messages look authentic. Alternatively, the attackers may choose to register a new domain name as close to the business name as possible to increase the chance of an email being taken as genuine. For example:
- a manufacturing business website exists at www.bestkiwi-widgets.co.nz;
- emails can be sent to staff in the format firstname.lastname@example.org;
- the website lists the general manager as Bob Smith and accounts director as Steve Jones;
- the scammers register the new domain name bestkiwi-widgets-nz.co.nz and send Steve emails that appear to come from Bob.
The US-based Internet Crime Complaint Centre (IC3) – which recorded more than $200m lost to this scam across the world in 2013 – has identified three main forms to watch out for:
1. Modified invoices from a genuine supplier
A business has existing relationships with trusted overseas suppliers and arranges the purchase of goods and services over email with invoices being sent as attachments. The company finds the bank account details have changed on the latest invoice and pays funds across to this new bank account only to discover days or weeks later that the account was set up by a criminal after emails were intercepted.
The email with the invoice often looks legitimate and may even have been sent from the supplier’s genuine email domain (@overseas-kiwi-supplier.com). The scammer may have copied previous emails and used similar language and names to reassure the customer that nothing is up.
Example incident: Hacker attack costs $25,000
2. CEO or executive fraud after email compromise
In this version of the scam, an executive’s email account is hacked or their account spoofed (as per the new domain name example above) and used to send requests direct to an employee in charge of payments or accounts. The email may request an urgent payment is made to an NZ or international account or for funds to be sent via money transfer.
Again, if the legitimate email account has been compromised, the scammer may take steps to make the email match with past requests and use similar nicknames or greetings.
Example incident: Kiwi businesses warned of internal email scam
3. Fake invoices are sent to business customers
In this version of the scam – the reverse of type 1 – a business’s email account is hacked and used to send fake invoices out to customers urging payments are to now be sent sent to a new bank account, usually set up overseas. Once the account has been comprised, the attackers may target contact lists or trawl through the sent box to find documents to modify and send out.
Example incident: Hackers intercept NZ taxidermy company’s invoices, trick clients
These kinds of scams can cause financial harm to companies both within New Zealand and overseas and may result in lost orders and damaged business relationships where customers and suppliers struggle to confirm where systems have been compromised and who is to blame.
How to prevent business email compromise
Attackers may monitor hacked email accounts and wait until a staff member is away on holiday or overseas on business before sending fake payment requests. This can make it harder to confirm if a payment request is genuine if an executive cannot be reached by phone or txt.
It is essential that any new bank account information is confirmed through a different communication channel, i.e. if the request comes through email, confirm the transaction and payment details via phone or text message with the staff member or supplier.
Putting good payment handling policies in place and taking the time to confirm any request makes it more likely that fraudulent transfer attempts will be spotted.
If a customer contacts your business about an invoice sent with new bank details, take the time to gather information that may identify a hacked account and alert other customers as soon as you can if you believe a scammer is sending out modified invoices.
Take steps to validate the identity and legitimacy of the sender of any new or suspicious payment request – it’s believed that fraudsters rely on human flaws such as the desire to help or a lack of awareness, training and proper internal systems and policies to succeed.
- Be cautious when you receive emails requesting urgent or confidential action must be taken;
- Examine email sender details carefully, watching for similar domain names or characters that have been swapped for other letters;
- Forward email responses instead of hitting ‘reply’ so you can type out the genuine email address for a supplier you communicate with;
- Ensure staff handling payments are trained to recognise suspicious emails;
- Put in place a ‘two man rule’ around signing off transactions and set transfer thresholds;
- Confirm new invoice details with suppliers using a phone number known to you, not the one on a suspicious invoice;
Businesses should also build good cyber security practices into their day to day operations to protect email accounts from hacking and to prevent malicious attachments and ransomware from comprising computers.
If you find a business email account has been hacked look for hidden folders and filters set up to auto-forward messages out to another email address still operated by a scammer. Messages sent whilst the account was compromised may have been deleted from sent folders and trash.
Paid a fake invoice? How to report business email compromise
These kinds of attacks can be difficult to trace as the scammers can hide their activity or be based overseas making investigation by NZ Police complex and time consuming.
If you or your company have paid money following receipt of a fake or spoofed invoice then contact your bank immediately for assistance.
Where payments have been sent to an NZ bank account, it is possible that the person receiving the funds has been recruited as a’money mule’ and is unwittingly transferring funds offshore.
If you or your customers are receiving spoofed emails or if your company has paid money following receipt of a fake invoice you can report a computer systems attack to NetSafe online.
Reporting incidents means NetSafe can spot patterns and take steps to warn government and law enforcement partners and other companies via the media.
MORE ADVICE AND INFORMATION
- Contact NetSafe if you’d like further help on 0508 NETSAFE or email@example.com
- There is more information and advice on mitigating email scam risks published by the US Financial Services Information Sharing and Analysis Center (PDF) and the Federal Bureau of Investigation.
- This UK article on business email compromise suggests companies avoid free email services and look for an email platform or provider that offers email authentication options – such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and Domain-based Message Authentication, Reporting & Conformance (DMARC) – to reduce email spoofing or alternatively use digital certificates to sign communications with key contacts.