A large proportion of cyber crime relates to mandate/invoice fraud. In particular, where either a business or their customer relies on cloud (eg Exchange Online) or web-based e-mail (eg Gmail, Hotmail, Yahoo), criminals are increasingly able to compromise accounts and then “watch” e-mail threads – waiting for the exact moment to insert themselves into the dialogue with their invoice, or a change of banking details.
Unfortunately, this can be all too easy for them to achieve. If your business uses one of these technologies, then your mailbox is typically protected from absolutely anybody on the internet by one single default factor – the username/password combination. Passwords can be guessed, and, of course, employees will use the same passwords in their personal life as they do at work. They may also use their work e-mail to sign up for other accounts, using that very same password. As a result, that big data breach you heard about last week on the news very probably contained a whole bucket load of credentials that could be used to log in to business e-mail accounts, often without any further hard work on the part of the criminal.
There are a couple of straightforward, inexpensive tips you can follow to make your e-mail account more resilient to compromise.
The first (and most important) is to follow National Cyber Security Centre guidance on creating strong passwords – use “three random words”, and make sure your e-mail account has a password that is not used anywhere else. If you have more than one e-mail account (eg work and home) make sure they have different passwords.
The next suggestion is to switch on two factor authentication (2FA). “What is this arcane technical mumbo jumbo that sounds expensive and very difficult to comprehend?”, I hear you cry. Well, actually it is neither of those two things, and you’ve probably used it in some form before without realising (using your bank card and PIN to withdraw money from an ATM is actually an example of 2FA!) With your e-mail account, the most common (and probably cheapest) 2FA available to you will probably be authentication via a code delivered to your mobile phone by SMS (text message), or an app that you “verify” and bind to your mobile phone which generates codes. It’s not difficult to set up – most providers will have step by step instructions on how to do so. Once you’ve got it running, when someone tries to log in to your e-mail account with username and password from a device that isn’t recognised, they will also need to provide the code. If they don’t have your phone, or access to it, that’s going to be pretty tricky. Like all cyber security technologies, it isn’t 100% fool proof, but it will raise the difficulty/effort bar for a significant percentage of criminals that are trying to attack your business – perhaps enough to make them give up and try someone else.
If your e-mail platform doesn’t support 2FA in some form, then it is time to switch platform. I have lost count of the number of business victims I have spoken to where simply using 2FA would probably have prevented them, or in most cases, somewhat embarrassingly, their customer, becoming a victim of invoice fraud. Financial losses in some cases were six figures in length. If your business is routinely handling single invoices of this size and the only thing between your email account and the internet is your password, then I fully expect you might become a victim at some point in the future. (you can find a great site which shows you how to switch on 2FA on several common apps, not just e-mail, here).
If you’re reading this article because you or your customer has already been a victim, or you’d like some more advice on checking for ongoing invoice fraud, and other considerations relating to the impact, read on….
In this section, we are going to look at some examples of the tricks that the criminals might use once they are inside your e-mail account. For that reason, I am going to start speaking about some make believe, legitimate e-mail accounts – email@example.com, firstname.lastname@example.org, and email@example.com.
If your business uses webmail, like GMail, Hotmail or Yahoo, then your e-mail is represented in our examples by firstname.lastname@example.org. This should typically only apply to (very) small business/sole trader. If you’re not a small business/sole trader and you you are using free webmail as your provider, you should consider getting your own domain, for reasons which should become clear.
If your business has its own domain which appears in your e-mail, then you will represented in our examples by email@example.com.
Yourcustomer@email.com represents, you guessed it, your customer. They could have any kind of e-mail platform you like. You’re doing business with them. You’ve sent e-mails back and forth about the scope of the work/product they want from you. You have agreed a price, and a date for delivery of the work/product. You’ve reached a point in the dialogue where you’re ready to send them an invoice, and they are ready to pay it….
The scene is set. Now let’s run through the scenarios that I have seen played out so many times…
Customer business e-mail has been compromised.
Criminals gained access to firstname.lastname@example.org some time ago. They’ve set rules in the account to forward every piece of e-mail to them since they gained access, or to put them in a hidden folder within your e-mail account (this may be why you don’t receive any e-mails once you change the password on a compromised account). They’ve watched with interest as your business dialogue develops. They wait for the right time to strike – maybe you’ve sent the real invoice and they delete it before it gets seen, sending their own instead. Your customer, expecting your invoice, pays it. Once they realise it is a scam and contact the bank, it’s too late, the money is gone. The bank refuses to refund them, because they’ve acted on a direct customer instruction to transfer the money.
So you might be thinking, well, in this scenario they didn’t get into my e-mail, so it’s not really my problem. Wrong!
If you’re using webmail (email@example.com), then it’s highly probable that in order to make their attack more convincing, they’ve used the same free e-mail platform as you, and just chosen a slight variation of your address to send their fake invoice. So they might have created an account called firstname.lastname@example.org for example. There is a virtually unlimited number of (free) combinations using “yourbusiness” that they can use.
Your customer (even though they might not blame your business) will possibly talk about the incident in their network, which may include others who might be future customers. The credibility of your business is going to get dragged through the mud (particularly if more than once customer is affected) and future (or existing) customers might be put off doing business with you because they don’t know which version of “yourbusiness” @email.com is trustworthy. If you had a domain, and were sending email as email@example.com, you’d at least create a small financial hurdle for the criminal, as they’d also need to buy a domain and e-mail hosting to make their attack more convincing (or rely on their victim not checking e-mail headers at all). By creating even a small financial hurdle, you’ve just screened out a significant number of your wannabe attackers!
If you’re smugly thinking to yourself “I have a domain, so in this scenario I’m golden!”, wrong again, I’m afraid. This means that the criminal very probably wasn’t put off by the small financial hurdle, and created their own domain. It’s very probably almost exactly the same as yours, varying by a single character. This is called typo-squatting. Maybe they sent their fake invoice from firstname.lastname@example.org – the difference is so subtle your customer probably wouldn’t notice even if they checked the header. You’ve now got a rogue domain that is capable of posing as you, and can cause you just as much reputational damage as those using webmail. Because you’re probably a larger business than those guys, you’re probably going to feel it more, and it will be more difficult to reclaim your “brand”.
In both instances, if you’ve just left it to your customer to deal with, how much effort do you think that they are going to put into getting the “rogue” e-mail account or domain shut down? (Clue: this can typically be quantified in zeros without using any other numbers.) You need to get a police reference number (from Action Fraud) and start the “Report Abuse” procedure with the respective domain host or webmail provider for the fake account to get it shut down. Prepare yourself. It can be a long journey. You may need to get the legal eagles on the case.
Coming up…. what happens when it is your e-mail that has been compromised? Read on if you dare…..
My business e-mail was compromised
As we saw earlier, even if the customer e-mail was the one compromised, you’ve still got a problem, but if it was your e-mail that got compromised, you’re definitely in a worse situation.
The reputational damage alone is intense – you’ve got to confess to the customer (even if they questioned the invoice, perhaps due to an account change, and no money was lost) that you’ve been compromised. Worse still is if they paid; technically, they are going to be the ones facing the financial loss, but since you’re the source of the problem, are they going to trust you moving forwards? Remember, they also haven’t actually paid you for the real invoice yet. Can they still afford to, or are they even inclined to? You might have already shelled out for materials and so on. you might have to consider doing the job for free by way of an apology.
I also don’t think we are far away from a world where formerly friendly businesses begin regularly suing each other for financial loss that has been incurred due to lax cyber security at the other end of an e-mail chain.
If you’re lucky enough to be reading this article out of interest, think how you would handle this scenario. Make a plan now, so that you aren’t floundering if/when it happens. Make plans about how you’d cope with various different cyber security incidents. It’s a really good idea.
I mentioned earlier two ways that will significantly reduce your risk of ending up here: strong, unique passwords and 2FA. But if you’ve ended up here regardless, you’re going to need to check a few more things other than reputational damage.
One of the first things you <might> have done upon learning this had happened is changed your e-mail/account password. It’s definitely something you <should> do. But you need to start thinking about what else the criminal might have got up to. If they’ve breached your e-mail account, they’ve potentially had access to absolutely every single thing that has passed through it – and maybe they still do, even if you changed your password! Check your e-mail settings (look for “rules”, typically near “out of office”) to ensure that copies of all your e-mail aren’t being forwarded outside the organisation, or to a disguised folder within the e-mail account.
If you’ve got evidence of any exfiltration, you’re going to have to start thinking about what other information has gone out. If all your e-mail was being forwarded out of the business, what else might have been in there? Details of other customers, business transactions (think potential new targets), or <gulp> personally identifiable information? If it’s the latter, those four dreaded letters are upon you: GDPR. You’ve got a statutory obligation to notify the Information Commissioners Office within 72 hours. There is a chance they might decide to fine you for the breach, but if you know you’ve been breached and don’t report it, it’s going to be worse. Bear in mind it’s not just your organisation that knows this has happened. Your customer does too, and they are probably quite angry, particularly if you’ve adopted a “well it’s your financial loss” attitude.
What about when invoice fraud happens and neither e-mail account appears to be compromised…….. read on…..
This article relates to just the scenarios I saw in the space of one week. There are plenty of other possibilities. But let’s cover one of the more obscure ones.
Neither customer or my business appears to have been compromised
In actual fact this one was a CEO fraud, with a fake communication apparently sent internally, but it could just as easily have been an invoice fraud between two parties.
A standard spear-phish was completed; reconnaissance had clearly taken place – the attacker knew the name of the person who handled the transfer, and the name of the CEO (the organisational chart and contact details were on their website).
The timing of the attack seemed impeccable – the CEO was on holiday. Was Out of Office to blame for this one? Was something divulged in social media of the CEO or indeed that of his family, if he didn’t use social media?
The technique used was straightforward enough – a spoofed e-mail address; this is when an e-mail looks like it came from someone you know, but the actual sender e-mail can be wildly different.
Let’s say you know Bob. You open your e-mail account. Your e-mail lists your mail according to sender names and doesn’t contain their e-mail address at all. You see a message from Bob. How do you know it is actually from email@example.com, Bob? I can send an e-mail from firstname.lastname@example.org and make it arrive in your inbox that appears, at face value, as if it is from Bob.
You can spot it by expanding the “e-mail header” on most packages (if you don’t know how to do this, you need to find out from your IT provider), but it’s more tricky on phones – you may have to click reply to get the return e-mail address displayed (never hit send, and only use the reply feature of your e-mail suite, not a link or button within the e-mail itself).
However, there was something more sinister about this spear-phishing attack; the attacker used exactly the same terminology and process as the real sender would use. This suggested, to me, that they had sight of a genuine e-mail in advance. There was no evidence of either e-mail account being compromised.
I’m running a number of theories right now, which include that their e-mail server itself is/was compromised; that a previous genuine instruction thread has innocently included a third party and they have been compromised, or that some other piece of malware – spyware, or a Trojan – is in play. If the company was historically the victim of an e-mail data breach (even some time ago), and the same employees were still at the business, then the template, which would be sloshing around somewhere on the internet, could be useful. No technical skill required.
If it is malware, then clearly an examination of patching, anti-malware and support for all software, operating systems and devices may be required. To write this one off as a simple phishing attack would be a mistake. My advice was to thoroughly examine the network.
With all invoices and financial transactions, consider having a “threshold” beyond which you need two people to check an instruction and authorise a payment. It’s not questioning the competence of an existing employee, it’s providing them with an extra layer of protection to ensure that a simple mistake doesn’t lead to a company disaster.
Finally, fear and urgency are two factors that work in favour of an attacker. If you’re a CEO or someone who typically issues financial instructions to colleagues, or sends invoices out of the business, think about whether your typical e-mail attitude and wording might closely resemble that of a phishing template. If it might, chances are an attack will be more likely to succeed if your colleagues and customers cannot easily distinguish between the two. So don’t go all “Gordon Ramsay” have the temerity (and good sense) to delay a payment while they take the time to check that it’s actually you that made the request.