Spotting fake invoice scams – what UK SMEs need to know
To emphasise the seriousness of this type of fraud, two businesses that complained of invoice fraud were said to have lost sums around the £1 ($1.5 million) million figure each. Further afield, there are occasional spectacular examples such as the extraordinary $46.5 million Ubiquiti Networks admitted it had handed over to criminals from its Hong Kong subsidiary as part of a sophisticated business email compromise (see below).
The warning lights are now flashing red - across the developed world, this is now one of the biggest categories of digital fraud with the FBI and Australian authorities putting out regular alerts of their own. An underlying issue is that while the fraudsters often exploit weaknesses in technology to attack businesses the biggest flaws are always human and result from a lack of awareness, training, poor systems, policies and checking. People make assumptions about identity and legitimacy and take too many short cuts.
But why have these scams become so successful And what if anything can businesses do to protect themselves
It's important not to confuse fake invoice fraud with the common 'unpaid invoice' emails that turn up in everyone's inbox from time to time. Those are usually a mechanism to persuade recipients to open attachments as a way of spreading malware. The invoice topic is simply a lure.
That said, a growing number of scammers do employ a slightly more directed version of this approach intended to find low-level admin people who will take an invoice demand, however implausible, at face value. There are numerous anecdotes of this approach working for smaller sums of money. Malware has also been used to carry out reconnaissance on target organisations.
The simplest form of fake invoice scam is a well-crafted and targeted demand for money, usually a small sum for office supplies or some other routine service that was never undertaken but sounds plausible. If the invoice is sent to someone in the accounting office, the crooks know it won't often be discarded out of hand. These job roles receive numerous invoices in any day and will treat them as being equally valid unless something suggests otherwise. Fraudsters might also make phone calls to add to the authenticity, citing a genuine name or department as having consumed the imaginary services.
The first defence, then, is a company's accounting systems. The simplest system is to match an invoice number to a purchase order, preferably with a shipping or confirmation order. These systems are used by any serious company, usually to detect internal fraud. If there is no matching, the invoice can't be paid without further verification.
Unfortunately, fake invoice scams have long since become cleverer than that.
Next: Business Email Compromise
In recent years the FBI and other police forces have documented more advanced versions of the simple invoice demand, starting with the invoice modification scheme. In this attack, an organisations is phoned up or sent a spoofed from someone claiming to be from a company they do business with, informing them of an office location or bank account switch and that future invoices should be re-directed. Sometimes the office move is genuine but, of course, the representative isn't. Organisations doing business across international borders are a common target for such frauds.
A variation of this is the 'man-in-the-email' scam in which a legitimate account at an organisation is compromised, allowing the scammers to appear genuine. A demand for money to be transferred to the fraudster's account is then sent to an internal employee. Alternatively, a compromised email account is harvested for contacts and bogus invoices sent to his or her contacts.
A useful defence against external invoice systems is for more companies to use an email platform or provider that offers email authentication, at least SPF (Sender Policy Framework) DKIM (DomainKeys Identified Mail) and, ideally, Domain-based Message Authentication, Reporting & Conformance (DMARC). This makes it impossible for criminals to send spoofed email impersonating a business.
Email authentication has a blind side - while it is not possible to spoof the real address when using these technologies, it is possible in some email systems or clients to spoof the recipient that displays to the user.
Email can also be signed using digital signatures based on an organisation's digital certificate implemented as long as the recipient's email software supports S/MIME (Secure/Multipurpose Internet Mail Extensions). Webmail systems won't work with this form of security.
If the attacker is already inside the email system, or has access to sensitive internal data, none of these approaches will work which is why the choice of email platform and the level of security it provides is critical. If email offers multi-factor authentication and regular password refreshes this makes it much harder if not impossible for outsiders to break in.
It's easy to suggest educating users about scams but it is immensely important that anyone handling invoices or wire requests is sensitised to the issue Accounting systems and checking policies are the first defence for SMEs A policy should be enforced that any change of bank account by a partner or supplier should always be validated by a channel other than email, preferably through two contacts. Never respond to payment requests using the 'reply' button - always use the 'forward' option that validates a contact from the address book. Choose an email platform or provider that uses anti-spoofing systems or allows multi-factor authentication. Businesses should never use free services or cut corners. Where possible use digital signatures for email exchanges with important suppliers Transfers to some countries - China, Hong Kong, South Africa, Turkey - should be treated with extra suspicion. Local 'mule' accounts at local banks are increasingly being used.
This might seem like bolting an empty stable door but intelligence on these scams is extremely important. In the UK, Action Fraud is the first port of call while in the US it's the Internet Crime Complaint Center (IC3).