10 Sep 18

Procurement to the rescue

Procurement to the rescue

How tighter controls can help prevent invoice phishing scams

Like supermodels, procurement often doesn’t get out of bed for less than £10,000 (spend) per day but an email scam is highlighting why organisations need purchasing to take note of lower spend thresholds and drive better purchase order coverage to fight these cyber criminals.

Let’s go phishing

Phishing email scams are nothing new – they have existed more than a decade, but they have become increasingly sophisticated and targeted in recent years. Most of us have received bogus or phishing emails. The ones from an African heir or prince are so easily recognisable but given how successful some of them are, the criminals sending these emails are not likely to stop anytime soon. Others are much more difficult to spot as they accurately mimic the style of real bank emails – until you check the sender or look at the links they contain.

Meanwhile, the growth of hosted corporate email services such as Microsoft Office 365 in recent years has not gone unnoticed by the scammers. They craft simple, effective social engineering attacks targeted to hosted email users, which ultimately lead to credential theft. Then once a business email account becomes compromised, scammers have found new and clever ways to commit financial frauds.

In past few months a new email phishing scam has emerged. It uses a version of what is known as the ‘man-in-the-middle’ attack exploiting the trust that goes between the victim (who usually holds a senior position) and other contacts within the same organisation. 

How the scam works

Initially the scammer will send a genuine-looking personalised email message to their potential victim, making it appear to have come from the user’s email service provider. The actual message or instructions in the phishing email may vary, for example ‘reset your password’ or ‘validate your account details’. However if the user is not being mindful and clicks on the embedded link it will lead them to a phishing (credential-harvesting) website. These sites are made to look like the actual web portal of their email hosting provider such as Office365, where their email credentials are harvested.

Now that the scammers have gathered the user’s login credentials they have the ability to gain access as and when they like. Historically scammers have been known for using the compromised email accounts to their benefit in a number of ways; sending spam email being the most common one however their new scam is rather more serious.

Scammers will invade the mailbox and identify other contacts from user’s organisation. They also add mail rules to delete/move messages, block certain emails, or mark emails ‘as read’ and move emails to Junk to help disguise any suspicious activity. They also set rules to forward all emails to an external email account so that they continue to receive victims’ emails even if they changed their password. In some cases they also added ‘connected accounts’ to maintain access to their victim’s mailbox. Once the account is fully compromised, the scammer sends an email from the victims’ account to the finance/accounts team containing a fake photo-shopped relatively low-value invoice, apparently from another genuine business establishment, but with account numbers changed. The invoice is also made to appear addressed to the victim. To make the request appear legitimate, the scammer will add a short, personalised message.

The scammer then keeps an eye on the victim’s inbox and will even reply to emails to add legitimacy to the ‘payment request’. The member of the accounts team in most cases will trust the payment request having come from the email account of their senior colleague, perhaps the CEO, and pay the invoice to the bank account on the invoice – one controlled by the scammer.  

To add insult to injury, the scammer may have also downloaded a copy of the organisations invoice from the victim’s mailbox, and can now create more fake invoices using Photoshop to potentially defraud other businesses. Even after becoming aware of this fraud and possibly having lost money to these fraudsters, the victim’s organisation can do nothing to stop these scammers from using a copy of their invoice or from targeting their customers, partners or suppliers resulting in further reputational damage. The process continues all over again - the scammer’s end goal is two-fold, stealing credentials through personalised phishing emails and then conducting financial fraud using fake invoices.

How do we catch them?

Scammers are using a number of techniques to protect themselves from getting caught and it’s very difficult to track them down. They use VPN to hide their locations when sending emails or accessing victims email account. Bank accounts used on the fake invoices also belong to other victims of bank account frauds who are not aware that their bank accounts have been compromised and their debit cards have been cloned by scammers.

Once this is all done, it is very easy for these scammers to withdraw funds, transfer the money out or purchase cryptocurrencies.

Procurement to the rescue

Cyber security is a hot topic for all organisations and they continuously looking to improve their information security practices and training of staff to be aware of these threats. However, this alone is not enough to safeguard against such frauds causing financial damage.

Often there is an exploitable gap in an organisations defences which scammers have been focusing on. That is, the scammers tend to send invoices of low value and most procurement organisations contain thresholds (often around £10,000 although some as large as £1m) before which where a purchase order number is required. Currently many of these scam invoices may slip below these thresholds and the poor person in accounts payable may have 1) a large volume to deal with or 2) rely on the email of the scammed executive/victim and just pay without too much thought.

Because of the individual amounts may be small for a large or medium-sized organisation, this scam may not even be picked up in a spend report, leaving that organisation unaware that a scammer is siphoning off cash for their own gain.

This scam (and others like it) help create the business case for wider or even blanket purchase order coverage and more direct purchasing involvement and responsibility. You can begin to persuade your organisation to take action now.

If you believe your organisation has been the victim of a phishing or hacking attack, please make sure you report it to Action Fraud - https://www.actionfraud.police.uk/

By Abid Muhammad, IT Manager, State of Flux