Can Invoice Hijacking and Business Email Compromise be stopped with better email technology?

The challenge with Business Email Compromise is that it is a cyber-enabled scam, but essentially relying on human deception.

As we discussed in ‘The Anatomy of a Scam’, the fraudsters invest time and effort to break-in and understand the patterns of communication and procedures surrounding financial transactions.  Cyber Security offers some protection at this level, but as we see with the MS 365 hack, it can be completely bypassed.

The ‘Sting’ – making the actual attack – is almost invisible to technology.   For primitive attacks (using spoofed accounts) then email security software can weed out ‘dodgy’ domains (for example vau1tconnnect.co.uk instead of vaultconnect.co.uk).   It may be possible to scan for patterns of language that suggest a scam – but these will also catch genuine communications.

How do you stop Email Fraud?

Stopping it requires putting measures in place to protect against the human deception.  Putting the means of perpetrating the crime out of the reach of the fraudsters.   The means is email.  Preventing it is classic process re-engineering:

• Strategy – keep the information necessary to execute a transaction away from email
• People – train staff on the risks, the scams and necessary measures
• Process – implement procedures that make it possible to execute the transaction efficiently without reliance on email
• Technology – make the software drive more efficient process

Email is the Problem

Most processes that involve the exchange of information between suppliers and clients use the default method of electronic communication – email.   

Businesses have changed their Accounts Payable processes away from paper invoices to save on postage and print costs.   Consumers demand immediate responses from the organisations they deal with – and email is the most obvious medium.

However, the way that we deal with email and the fact that we have to deal with so much of it creates a fertile environment for the fraudster.   In the interests of getting through the 120 emails that the typical worker receives daily, we learn to process email quickly.

We follow instructions in emails efficiently.   

We become blind to the fact that the email sender may not be who they say they are at all.

Use email a different way

We’re not going to move away from our inboxes any time soon.  So it’s a useful place to receive notifications and alerts.

What about a situation where an alert notified an Accounts Payable clerk that an invoice had been uploaded to a secure shared library?   

What if all invoices were in supplier specific folders – in an environment where access was locked down to specific users?   What if every action was time-stamped, date-stamped and user-stamped? That’s much more secure.

What if it was possible for issues to be raised and resolved in the secure area (with each party being notified that something required their attention by an email alert that landed in their inbox)?

The fraudster can no longer insert themselves into the chain.  If the secure shared area (call it a Vault maybe ;-D) provided the highest possible levels of security, then it requires a great deal more effort on the part of the fraudster to get in.   Better still, if the users are up to it, implement multi-factor authentication.

Losses to Business Email Compromise total billions of pounds.  Until companies address the risks to their invoice processing and property transactions by reviewing process and not technology, then email fraudsters will continue to successfully scam processes that exchange transactional information via email.