Trawling through archives can quickly turn bittersweet when it hits home how little has changed between past and present. Looking back through the posts on BHconsulting.ie, invoice redirect scams have featured regularly since 2015. Fast forward to 2019: An Garda Siochana warned that this fraud cost Irish businesses almost €4.5 million this year. The global costs are even more sobering – but more of that later.
Back in 2015, we reported the Irish Central Bank was fleeced to the tune of €32,000. This fraud was a growing trend even then. Our blog quoted Brian Honan’s Twitter account: “Looks like a fake invoice scam we’ve seen with other clients”. The same post also referred to Ryanair, which was duped around the same time and reportedly lost around €4.5 million.
The impersonation game
Scams like this have many names, like CEO fraud, invoice redirection fraud, or business email compromise. Preventing them from being successful is about knowing how they work and spotting potential red flags. Brian blogged about this in December 2015, detailing scammers’ steps when executing CEO fraud and fake invoicing tricks.
“The premise of the attack is the criminals impersonate the CEO, or other senior manager, in an organisation (note some attacks impersonate a supplier to the targeted company). The criminals may do this by either hijacking the email account of the CEO or setting up fake email accounts to impersonate the CEO.”
Next, criminals send an email seeming to come from the CEO to a staff member with access to the company’s financial systems. The email will request that payment be made to a new supplier into a bank account under the criminals’ control. Alternatively, the email may claim the banking details for an existing supplier have changed and will request payments into a new bank account under the criminals’ control.
Video to beat the scam
In February 2017, we blogged about an educational video that Barclays Bank developed to raise awareness of fake invoicing and similar online scams.
Later that same year, we covered the issue again, twice in quick succession. The first of these posts, in August 2017, noted how legitimate email senders do themselves no favours by composing messages that “practically begged to be treated” as fakes. A genuine email from a large insurer was so poorly composed that it would have raised suspicion with anyone who’d been paying attention during security awareness training.
The process problem
Now we’re getting to the heart of the problem. Call it what you want, but this scam is a people and process failure. That was our conclusion from another post in August 2017, after news emerged of yet another victim in Ireland. “The effectiveness of an email scam like CEO fraud relies on one person in the target organisation having the means and the opportunity to make payments. It’s not a security problem that technology alone can fix.”
In the same blog, we noted how the FBI has been tracking this scam since 2013. The agency put collective losses between then and August 2017 at an eye-watering $5 billion. As we blogged then, ways to fix this issue don’t necessarily need to involve technical controls. For example, companies could make it compulsory to have a second signatory whenever they need to make payments over the value of a certain amount.
The risk of these frauds goes beyond just commercial businesses. As we noted in a blog from October 2017, local public sector authorities are also potential victims. The post referred to Meath County Council, which had €4.3 million stolen from it in a dummy invoicefraud.
Staying ahead of the fraudsters
Our August blog included FBI special agent Martin Licciardo’s very practical advice: “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”
This brings us neatly back to 2015, where we provided similar advice to avoid falling victim to fake invoice scams. The steps include:
- Ensure staff use secure and unique passwords for accessing their email
- Ensure staff regularly change their passwords for their email accounts
- Where possible, implement two factor authentication to access email accounts, particularly when accessing web-based email accounts
- Have agreed procedures on how requests for payments can be made and how those requests are authorised. Consider using alternative means of communication, such as a phone call to trusted numbers, to confirm any requests received via email
- Be suspicious of any emails requesting payments urgently or requiring secrecy
- Implement technical controls to detect and block email phishing, spam, or spoofed emails
- Update computers, smartphones, and tablets with the latest software and install up-to-date and effective anti-virus software. Criminals will look to compromise devices with malicious software in order to steal the login credentials for accounts such as email accounts
- Provide effective security awareness training for staff.