Story image

Scammers intercepting business emails in fake invoice scams

06 Sep 2018

CERT NZ is warning New Zealand businesses to be aware of an upsurge in fake invoices, which are often intercepting genuine payments.

CERT NZ says it has received a spike of reports about invoice scams recently. The best method of prevention is to strengthen email security and verbally confirm and change in bank account details.

Typically scammers gain access to a company’s email account, monitor emails and then target customers who owe large payments.

The scammers then use the company’s email address to tell those customers that bank account details have changed. Sometimes the scammer will even alter an invoice to include change the bank details.

CERT NZ advises that some scammers are also using auto-forwarding rules on a company’s email, so they can respond directly to customers without the business ever knowing about it.

Scammers will also use filtering rules to delete their sent mail so their messages can’t be detected.

Are you affected?

CERT NZ says there are three main ways businesses can detect unusual activity:

Check auto-forwarding rules on email accounts, especially accounts relating to accounts receivable. Check to see if there are any forwarding rules to accounts you are not familiar with. Check auto-filtering rules on email accounts. Check to see if there are any rules that you did not set up.

Look at your email access logs to look for any unusual login behaviour – particularly odd login times and unexpected or foreign IP addresses.

How to mitigate the problem

CERT NZ says that if companies are expecting a payment that hasn’t arrived or have made a payment that hasn’t been received, it could be a sign of this scam.

Businesses that have made payment:

You should call the intended recipient, confirm bank details and check that the payment hasn’t been received. If details don’t match, call the bank immediately. The bank may be able to recover the money if it is caught early enough.  Businesses should also file a report with CERT NZ.

Businesses that are expecting payments that haven’t arrived:

You should call the person responsible for the payment and ask them to confirm bank details. If details don’t match, the person should contact their bank to find out if the payment can be stopped.

  • “Immediately change the email passwords for the email account that sent the invoice. In the email settings, see if there’s an option to close all open sessions.
  • We strongly recommend you turn on two-factor authentication for your email accounts.
  • In the email settings, see if there are any unexpected auto-forwarding or auto-filtering rules. Remove any you find.
  • Report the incident to CERT NZ. Make sure you tick the ‘share with partners’ option so that we can share the details with NZ Police.

CERT NZ also offers the following prevention tips:

Strengthen your email security

  • CERT NZ strongly recommends you have two-factor authentication on your email accounts.
  • Make sure all email passwords in your business are strong and not used anywhere else. Encourage staff to use a password manager to help remember all their passwords.
  • Consider disabling the auto-forwarding configuration. If your business does not use this feature, it can be disabled to prevent these rules from being set up.
  • Set up logging on your business’ email. These logs should cover log in attempts (both those that are successful and unsuccessful). These should also cover email delivery status, which tracks when emails might have been forwarded or deleted.

Improving invoice payment practices:

  • If a business tells you they have a new bank account number, double check it with the business over the phone or text.
  • Look on the business’ website for their phone number, in case the scammers have changed the phone number on the address as well.
  • As general practice, implement processes for managing payments over a certain amount. For example, the process could involve needing two people in your business review the invoice, and to confirm the details over the phone with the business.
  • Store the details of regular vendors in your internet banking, so that you have the correct bank details saved.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Tech community rocked by deaths of Atta Elayyan and Syed Jahandad Ali
Both men were among the 50 killed in the shooting in Christchurch last Friday when a gunman opened fire at two mosques.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.