Real Life Business Email Fraud: What and How

Could this impact your business?

This case of employing a classic deception tactic came to our attention a short while ago.  The setup and the sting follow a well-worn pattern that has been used by scammers for centuries.

What is new is that it is a particularly effective way of perpetrating a Business Email Compromise Scam.

Unfortunately, there is a victim – with all of the feelings of loss and remorse that you would expect.  They have lost the money they sent to the fraudster, their supplier is still expecting payment for goods and services provided and the relatively high excess on their insurance means that making a claim is not an attractive remedy.

An age-old deception – in a modern context

The fraud was perpetrated by the fraudster intercepting / compromising / mimicking the email account of a trusted supplier.

A credible email was received from the supplier explaining that their bank account had been hacked and instructing the company not to make any payments on any outstanding invoices until further notice.

The next email gave the all-clear.  It explained that the matter was sorted and that changing their bank account in order to receive money was part of the solution.  Money was then paid and the fraud was complete.

This follows a classic pattern (Number 3 in our 5 Business Email Compromise Scams).  The fraudster creates a false sense of danger, removes it and then as the ‘mark’ lowers their guard they get them to take action.

The ‘breached’ supplier has not received any money – but would like to do so!

Could this be avoided?

Solution Perspective Number 1 – Looking at the Behaviour

Could the organisation’s Accounts Payable team have stopped this.  There’s an argument that the solution lies in protocol – no payment change should be actioned unless a phone call is made to the supplier to confirm the change.

Solution Perspective Number 2 – Looking at the Technology

Another angle is that there should be a technological means of preventing this – that the issue occurred because the email was not sufficiently protected.   There are of course extensive email security tools on the market.

Solution Perspective Number 3 – The Legal View

Legally we can’t see a solution as there was nobody to take action against.  The victim is completely exposed.

It is possible to see some value in both the behavioural and technological perspectives.  But neither are watertight.  The legal perspective remains constant.  You are responsible for where you send the money.

The problem with the Behavioural perspective is that if the fraudster can set up a credible email suggesting that a breach has taken place, there is nothing to prevent them from having preceded this with an email suggesting that the contact details held on file for Accounts Receivable need to be updated.   Then when the call to verify details is made, of course they are confirmed – and the fraud is still perpetrated.

Scams of this scale and elaborate nature are carried out by organised crime gangs.  If the sums of money are significant (in this case several tens of thousands of pounds) then the investment of time and effort in setting up the fraud are worthwhile.

The Technological perspective has some validity – but it is not possible to secure email absolutely.   If a malware breach led to a fraudster gaining access to the IT providers email system then there is no way that my friend’s employer would spot that the email was fake – because it came from a genuine, trusted source.   If the email mimicked a sender then even leading providers email security technology will admit that a proportion of email threats will still get through.

Email is inherently insecure.  We’ve said it many times (and I’m sure my friends got the message loud and clear).  Combine this with the human element and a technology only element is like putting lipstick on a pig!

There is a better way

The fraudster has:

  • Means: ability to either compromise an email account or mimic it
  • Motive: significant payments taking place
  • Opportunity: people who do what they are told when they receive an email

Take the payment request and instruction away from email and it removes the means and opportunity.  The procedure around invoices and payments is now secure.

Preventing Business Email Compromise from costing your business involves following these three rules:

  1. Remove the information from view; if it’s not on email it’s not visible (patterns cannot be spotted, intercepted or mimicked)
  2. Control access; by invitation only
  3. Two-way communication in a trackable, auditable environment.  Easy access, rigid protocols

Adopting these rules transforms the process.

One party invites the other to share sensitive information in a secure ‘Vault’ – accessible only via password.   If the Vault contains all the information about current and historical transactions it is a valuable shared area for both parties (and removes many “can you just…?” requests for information already provided).

A supplier might load invoices and be required to maintain the relevant bank details (where permission control locks edit access to them only).  New information is alerted to the relevant party by a generic email (where no information about the transaction or nature of the information can be intercepted by a fraudster).   Both parties can add queries, messages and new information including – for example – a remittance notice.

Access is highly secure.  Every action is tracked and a complete audit trail exists.  Impersonation opportunities are eliminated and protocols (e.g. we will only pay the account details contained in the Vault) are easy to follow.

In short – you can’t foil Business Email Compromise with a procedure that still involves instructions or requests via email.   Don’t transmit!