Business Email Compromise (BEC) and the hijacking of supplier invoices to divert payments into bank accounts operated by fraudsters became noticeable four to five years ago.
The FBI put global losses to this scam in excess of $12.5bn and in the UK, cases reported to law enforcement have more than doubled in the last 6-12 months.
Scammers go to great lengths to research the right contacts, understand organisations’ accounts payable processes and compromise the email accounts of personnel who either issue invoices or have access to payment instructions.
It’s a significant threat and a particularly effective way for fraudsters to gain access to large sums of money. The typical attack evades corporate network protection – it hides in plain sight. Furthermore, it is often the clients of organisations who are compromised who become the victims. This means that each organisation’s defences are only as strong as its weakest supplier.
So how do you protect your organisation and your Accounts Payable team?
Preventing Invoice Hijacking: The Best Advice from The Experts
Financial Fraud Action UK, the organisation set up by the UK Financial Services industry to coordinate its fraud prevention activities issued the following advice in their leaflet “Are they really one of your regular suppliers?” (selected highlights below):
- Ensure staff processing invoices or who have the authority to change bank details are vigilant
- Changes to supplier financial arrangements should be verified with that supplier using their established on-file details
- When a supplier has been paid, inform that supplier of the payment details made, including the account the payment was made to
- Check company or organisation bank statements carefully
- If you are suspicious about a request, ask if you can call back
- Establish a designated point of contact with suppliers to whom your company or organisation makes regular payments. Raise all invoice issues and concerns with this person
- Be vigilant for amendments to contact numbers and email addresses on company invoices. Amendments to these may be so minor that they are difficult to spot
At first glance a lot of this makes sense, but a closer look at how a BEC / Invoice Hijack scam takes place shows how easily a fraudster can circumvent this advice (see the Anatomy of a Scam).
Firstly, the email notification may be from precisely the contact, containing exactly the content and using the language that you would expect to see from a regular supplier. Secondly, the level of sophistication in this type of attack is high and it’s not unusual for steps to have been put in place to subvert a verification call. Using the advice above, in (1) the request to change details would be credible and from the right contact and (2) the contact details may have been already updated ahead of the scam – making (5) and (6) redundant. Point (7) would be exactly as the Account Payable team would expect.
Points (3) and (4) would highlight that a fraud has taken place, but possibly not for days after the payment was made. By which time the funds will have been transferred into and out of multiple international bank accounts, making recovery almost impossible.
Preventing Business Email Compromise: What about Technology?
There are some extremely powerful email security software solutions available – some of which market Business Email Compromise solutions. They already weed out malicious links and malware, protecting organisations from numerous cyber threats.
However, they rely on scanning the content of an email and authenticating the sender. In scams where the fraudster ‘mimics’ a vendor by using a variation on their domain (e.g. vau1tconnect.co.uk instead of vaultconnect.co.uk or changing the .co.uk to .co) then this can be easily weeded out.
The software can also be set to look for language in emails – e.g. requests for payment, urgent or immediate deadlines.
The main problem with this approach is that the sophisticated scams hide in plain sight. The attack emails display all of the same properties as a genuine email. Or worse, genuine emails contain all of the same properties as an attack email – so either all emails are blocked or the attack email gets through.
The Only Effective Way to Stop Business Email Compromise: Don’t Transmit
The only truly effective way to stop fraudsters using emails in the Accounts Payable process to perpetrate an attack is to remove email from the Accounts Payable process.
Clearly you can’t take away email altogether, but it is possible to create a process with suppliers whereby invoices and payment details are shared in a secure area. Users are controlled by granular permissions and every action is completely auditable.
Notifications of activity can be received by email, alerting users that actions need to be taken – but not in a way that makes either the action or detail visible to a fraudster.
Invoices can be added by suppliers, bank details can be updated by suppliers (and the ability to edit locked down to specific users) and contact details can be updated by suppliers. The Accounts Payable team can access invoices and all parties can view historic transactions.
In the event that a fraudster successfully compromises either the supplier or client email system, they have insufficient visibility of the process or transactions to effectively perpetrate an invoice hijack scam.
Securing your Accounts Payable process involves tackling all of People, Process and Technology:
- Lock down the process – create a secure shared area for suppliers to whom you make regular payments for all invoices and transaction details to be exchanged
- Authentication – protect all email accounts with two-factor authentication. This makes it more difficult for attackers to compromise your email accounts and use them to trick others inside or outside of your organisation. This also helps protect with ad-hoc suppliers
- Verification – always make a requested wire transfer follow a prescribed series of steps that includes ensuring that bank details have not been recently changed. If they have been updated, be wary of recent changes to contact information. (If using VaultConnect, a complete history of changes is available for all information stored in a Vault – enabling users to see that both bank details and contact details have recently changed, which should trigger an additional layer of verification)
- Questioning – always assume that an account that is requesting a wire transfer may have been compromised until proven otherwise. That is especially true for emails that purport to be from the CEO or another senior manager. Best practice would lock this process away within a secure Vault too.
- Training – Show your team what a BEC / Invoice Hijack attack looks like (and if possible, regularly test them to ensure that they remain aware)
- Technology – Implement email security software to reduce the risk of attack and use a cloud-based, end-to-end encrypted secure information portal to provide the shared area for your Accounts Payable team and suppliers to whom you make regular payments.