Business Email Compromise (BEC), Invoice Hijacking and Email Interception fraud is growing at an exponential rate.
Fraudsters are successfully exploiting the Accounts Payable processes of all sizes of business – from global organisations to local SMEs. What is making these attacks so successful?
BEC is a cyber-enabled fraud that evades cyber-security measures. It is perpetrated by organised criminal gangs on a global scale. The setup of an attack is sophisticated and exploits weaknesses in technology, process and practice. It subverts both standard patterns of working and verification measures – relying on age-old means of deception.
Weakness 1: The Standard Process
In most organisations, Accounts Payable processes follow a very similar pattern. Regardless of size, an organisation’s Accounts Payable function’s mission is to ensure that only the bills that are legitimate and accurate get paid.
The pattern will typically involve:
- Requesting goods and services – often via Purchase Order
- Receiving goods and services
- Receiving an invoice
- Verifying that the invoice details marry up with goods / services received
- Authorising the invoice for payment
- Making payment – in most cases these days, via wire transfer / electronic payment (BACs, CHAP, etc)
In all but the smallest organisations there are multiple departments and people involved in the internal elements of request, receipt, authorisation and payment – and the standard means of business communication is email.
Communications with external suppliers will also rely on email.
For a criminal, this contains all elements for a crime: Means, Motive and Opportunity. Motive and Opportunity exist in the because – in the words of famous bank robber Willie Sutton “that’s where the money is”.
The Means exists if a criminal can subvert the requesting, invoicing, authorising or payment elements of the process. Unfortunately, the inherent insecurity of email combined with the remaining factors make this possible.
Weakness 2: Email and Technology
Invoice Hijacking has become prevalent because processes that rely on email are relatively straightforward to subvert.
Firstly, Email is an insecure medium – it was not designed with secure communication in mind. Email has been compared to sending a postcard written in pencil. It passes through multiple servers internationally, it is readily viewable by anybody who can intercept it at those servers and the text can updated in transit.
Secondly, we’re conditioned to deal with email quickly. The typical employee receives 120 emails / day and learns to process them quickly so they can do their job.
Thirdly, most organisations treat cyber threats as a job for the IT department to protect them against. This is fine for many cyber threats (viruses, denial of service attacks, malware, etc) but is problematic for Business Email Compromise. Automated scans can only block a percentage of threats and if staff need to receive emails to do their job then all the fraudster needs to do is deliver one that contains the same properties as a legitimate email.
Weakness 3: Organised and Enterprising Fraudsters
BEC often evades detection because the transaction or communication appears legitimate from the company’s perspective. Confirmation calls and other authentication mechanisms are also subverted – making it even trickier to identify.
The typical loss to a BEC attack in the UK is over £22,000 – the amounts at stake make it worth the elaborate setup involved to pull it off.
The success rates and sums of money involved have created a global industry. The FBI estimate global losses to be in excess of $12.5bn, and their attempts to foil the scams have revealed a complex global network of organised criminals.
As this anatomy of a scam reveals, they have the resources to gain access to organisations’ email in order to either attack them directly or to strike at their clients. They invest time in researching patterns and processes in order to maximise credibility – delivering the right message, with the right content, to the right contacts at the right time.
As organisations put measures in place to protect themselves they hone their approach to bypass them. If it’s worth the effort to gain access and research the contacts and messages involved in invoicing and payment, then it’s worth the effort to put pre-emptive measures in place to divert verification calls.
Weakness 4: The Human Factor
The saying “Your biggest threat wears shoes” is a truism in so many aspects of cyber-security. It’s especially the case in BEC and invoice hijacking.
How many of your employees check the header information of every email they receive to verify that it was actually sent from the sender it appears to be from? Most won’t even know how to do it.
If that sender appears to be the person they would normally expect to receive mail from, sending an email they are expecting and using the pattern of communication they’d expect to see?
Training and awareness of specific threats can weed out some of the risk, but there’s always the room for human error.
Organised criminals, skilled in deception, target this human factor to create credible requests to make payments to their accounts. In many cases diverting payments away from legitimate suppliers.
Humans are both the route in and the key enablers.
The Only Effective Protection: Don’t Transmit!
Foiling Business Email Compromise involves taking critical elements of the invoicing process away from email.
Email provides the fraudster with the means and opportunity to perpetrate the fraud:
- Means: the ability to either compromise an email account or mimic it
- Opportunity: to research the contacts, content and timing of messages relating to financial transactions
- Means: to deliver credible requests for payment in an expected medium to an audience conditioned to act on the request
If an Accounts Payable process takes the request for payment and the communication about where payments should be made away from email then it removes the means and opportunity.
You can’t foil Business Email Compromise with a procedure that still involves email.
