Fraudsters no longer need access to your bank accounts to steal money or to hack your cyber-protection in order to hold you to ransom.   

Instead, by hacking into your (or your suppliers’) email, scammers can hijack the invoice and accounts payable process and change the payment details to get you (or your clients) to divert payments directly to them.

If an average employee at your company got an email from the Finance Director or Chief Executive with an urgent request, would they question whether the email was coming from the actual sender?   They probably wouldn’t.  The reality is that most people would act on the request because of its time-sensitive nature.  

Furthermore, many people assume that the IT team has the right technology in place to validate email senders so they can get on with doing their work.

This is why attackers succeed.   They subvert legitimate senders, they follow normal patterns of communication or process and the target thinks the email is coming from someone they trust.  Consequently, their organisation gets breached.

This is Business Email Compromise – sometimes referred to as email spoofing, email interception fraud or invoice hijacking.

Business Email Compromise – Attacks are Widespread and Growing in Frequency

BEC scams have exploded in the past 2-3 years, with cyber-criminals successfully exploiting organisations large and small for eye-watering amounts of money.  

Specialist insurers, Beazley, have seen a massive increase in the number of  incidents reported to their Breach Response Services.  The number of cases doubled between Q1 2017 and Q3 2017.  By Q2 2018 they had doubled again.

In their analysis of 142 million emails that passed through existing email security software in the summer of 2018, Mimecast identified an 80% increase in the number of BEC or email impersonation attacks.

ActionFraud, the UK’s national fraud reporting service, have seen a 123% increase in reported cases from Financial Year 2016-17 to 2017-18.    This accounts for total losses of over £77m – and this is just what is reported.  Due to many organisations being unwilling to reveal how easily defences can be breached it is feared that as much as 85% of cyber-fraud goes unreported.   The average loss is over £22,000.

Globally, BEC has become a lucrative industry.   The FBI’s Internet Crime Complaint Center put global losses to Business Email Compromise in excess of $12.5bn.  The intelligence they gain from their limited successes in catching criminals reveal that it is perpetrated by international organised crime gangs and that their operations are increasingly sophisticated and professional.

Invoice Hijacking

Invoice Hijacking happens when a company or organisation is tricked into changing bank account payee details for a sizeable payment.   Criminals pose as regular suppliers to the company or organisation and will make a formal request for bank account details to be changed.

Criminals who specialise in BEC / Invoice Fraud are often aware of existing relationships between companies or organisations and suppliers and they know when regular payments are due. Equipped with sophisticated information, they make contact with finance teams within companies and organisations, posing convincingly as suppliers.

Payments are repeatedly made to them and the fraud is often only discovered at the point when the legitimate supplier of the product or service chases for non-payment of invoice. At that point recovery of the funds from the fraudulent account is very difficult.

A Cyber Scam that Evades Cyber Security

The invoice hijacker or fraudster is successful because they are able to pose as legitimate senders, follow normal patterns of process / procedure and by providing convincing reasons for either changing existing payment details or creating a credible reason to pay a new entity.

It involves a sophisticated set-up, usually involving using either social engineering or malware to gain access to an organisation’s email.   Once inside, the scam may target the organisation itself, its suppliers or even its clients.

The attacks evade security software because the sender, the content and the context of the scam emails contain identical properties to the real thing.    They fool human checks by subverting verification processes and using skilful deception.

This IBM report on a real-life scam reveals the level of preparation that goes into the execution of a successful hijack.   This deception would require some in-depth knowledge of the targeted company’s business ties.

“To successfully scam companies without special tools or malware, the attackers used sophisticated social engineering tactics that prey on flaws in common accounts payable processes,” 

“The attacker’s thoroughness during reconnaissance and while financial conversations took place has involved such actions as impersonating victims, finding and spoofing internal documents needed to make legitimate wire transfers, and setting up multiple domains and emails to pose as higher-level authorities”

The typical loss from a Business Email Compromise attack runs into several tens of thousands of pounds. That’s just what the fraudster gets away with.  The victim is left owing the supplier for goods and services received and expending valuable time and energy on investigation, insurance claims and possibly litigation. 

Have you got this covered?