Work In Finance? Time To Say Hello to This Latest Scam (If You Haven't Already)
15 November 2017 00:00
There's a wave of new phishing campaigns doing the rounds, this time focusing on targets in finance departments. Here's how to spot and avoid this ultra-personalised attack - the fake invoice scam.
What is the fake invoice scam?
We’ve all received our fair share of dodgy scams in the past. From unsolicited calls to fraudulent emails, many of us become sceptical when faced with requests or queries regarding our finances, and rightfully so. But for those who work in finance, these scams become much more tricky to avoid - and that’s exactly what the financial industry is learning with the recent wave of fake invoice attachment scams.
These attacks are targeting our organisation’s financial departments with social engineering and employee phishing campaigns designed to trick people into downloading threats such as credential-harvesting malware.
How does it work?
When working in finance, yourself or your team are guaranteed to be inundated with invoices and monetary requests, even to the point where focus and security standards gradually start to slip - and that’s exactly what cyber criminals are banking on.
The victim will firstly receive an email that usually requests action on an invoice. But these emails don’t rely on the typical phishing approach of ‘spray and pray’. Instead, they are specially crafted to look like a legitimate request from a person the recipient knows or trusts.
The email will often contain a link relating to whatever request the email is asking for. In many cases, these emails are asking for the payment of an invoice, or can even plant the idea that the target has lost money. The key for cyber criminals using this type of attack is to place urgency and panic in their unsuspecting victim.
Once the unlucky target has clicked a link or attachment in the email, it’s all downhill from there. In some cases, people who have fallen for the scam have downloaded the ‘invoice’ - only to be left with a malware infection. These can range from a subtle trojan infection to a not so subtle ransomware attack.
Similar read: The real reason why phishing attacks are SO successful
What do they look like?
The example below gives you a perfect insight into just how cunning and sophisticated these attacks are. The target here is being asked for a reply to a query about the payment status of an invoice.
The attacker has included the victim's name along with an invoice number - pretty authentic looking, right? That’s exactly why these scams are working on finance professionals, who usually have to deal with a daily influx of identical-looking emails.
How has the fake invoice scam affected businesses so far?
Many businesses have already been affected by these sorts of fake invoice scams. Impersonation is a proven tactic that criminals are regularly using to attract victims into believing that they are acting on an important message, when really, this couldn't be further from the truth.
In the US, huge figures have been released on the financial loss from businesses as a result of fake invoice phishing emails. Those figures? Well, they roughly equate to $5bn worth of loss in four years. Some of the main losses have come when cyber criminals have used business email compromise (otherwise known as BEC or ‘Whaling’ - which you can learn more about here).
Even the big boys, Facebook and Google, have lost a ton of money due to the scam. This year, the Justice Department announced the arrest of a man who allegedly swindled more than $100m from the two tech giants.
But these cyber criminals don’t discriminate on who they target. After all, the NHS had to notify their staff of fake invoice scams regarding their equipment, even after the already hugely-damaging breach of WannaCry. The point is - these cyber criminals don't mind what type of business or organisation they target, as long as financial gain is the result.
How can you safeguard your business from it?
Technology isn't enough to stop all phishing emails. Plenty of threats still filter through, especially when they’re as targeted and personalised as the fake invoice attachment scam. So when these emails do reach the end user, only can education and awareness provide that much-needed barrier between compromise and reporting the attack.
Education and security awareness needs to be focused on a range of topics to help protect against this threat. For instance, one of the main sources of gathering information on victims is through social media accounts. Employees often add contacts who they have never met - with these people then having access to a bunch of information that can be used for pretexting and social engineering.
Secondly (and most importantly), employees should know how to spot a phishing email - even the most sophisticated ones. Fake invoice attachments might be hard to spot, but there are always steps that can be taken to minimise these risks.
Educating users with security-focused eLearning modules is a great way to give them the sort of knowledge and awarenesses that is needed to report these threats. Feel free to take a look at how we combat the lack of education here, or, phish some of your users for free to find out their current awareness level.