Story image

Scammers intercepting business emails in fake invoice scams

06 Sep 2018

CERT NZ is warning New Zealand businesses to be aware of an upsurge in fake invoices, which are often intercepting genuine payments.

CERT NZ says it has received a spike of reports about invoice scams recently. The best method of prevention is to strengthen email security and verbally confirm and change in bank account details.

Typically scammers gain access to a company’s email account, monitor emails and then target customers who owe large payments.

The scammers then use the company’s email address to tell those customers that bank account details have changed. Sometimes the scammer will even alter an invoice to include change the bank details.

CERT NZ advises that some scammers are also using auto-forwarding rules on a company’s email, so they can respond directly to customers without the business ever knowing about it.

Scammers will also use filtering rules to delete their sent mail so their messages can’t be detected.

Are you affected?

CERT NZ says there are three main ways businesses can detect unusual activity:

Check auto-forwarding rules on email accounts, especially accounts relating to accounts receivable. Check to see if there are any forwarding rules to accounts you are not familiar with.
Check auto-filtering rules on email accounts. Check to see if there are any rules that you did not set up.

Look at your email access logs to look for any unusual login behaviour – particularly odd login times and unexpected or foreign IP addresses.

How to mitigate the problem

CERT NZ says that if companies are expecting a payment that hasn’t arrived or have made a payment that hasn’t been received, it could be a sign of this scam.

Businesses that have made payment:

You should call the intended recipient, confirm bank details and check that the payment hasn’t been received. If details don’t match, call the bank immediately. The bank may be able to recover the money if it is caught early enough.  Businesses should also file a report with CERT NZ.

Businesses that are expecting payments that haven’t arrived:

You should call the person responsible for the payment and ask them to confirm bank details. If details don’t match, the person should contact their bank to find out if the payment can be stopped.

  • “Immediately change the email passwords for the email account that sent the invoice. In the email settings, see if there’s an option to close all open sessions.
  • We strongly recommend you turn on two-factor authentication for your email accounts.
  • In the email settings, see if there are any unexpected auto-forwarding or auto-filtering rules. Remove any you find.
  • Report the incident to CERT NZ. Make sure you tick the ‘share with partners’ option so that we can share the details with NZ Police.

CERT NZ also offers the following prevention tips:

Strengthen your email security

  • CERT NZ strongly recommends you have two-factor authentication on your email accounts.
  • Make sure all email passwords in your business are strong and not used anywhere else. Encourage staff to use a password manager to help remember all their passwords.
  • Consider disabling the auto-forwarding configuration. If your business does not use this feature, it can be disabled to prevent these rules from being set up.
  • Set up logging on your business’ email. These logs should cover log in attempts (both those that are successful and unsuccessful). These should also cover email delivery status, which tracks when emails might have been forwarded or deleted.

Improving invoice payment practices:

  • If a business tells you they have a new bank account number, double check it with the business over the phone or text.
  • Look on the business’ website for their phone number, in case the scammers have changed the phone number on the address as well.
  • As general practice, implement processes for managing payments over a certain amount. For example, the process could involve needing two people in your business review the invoice, and to confirm the details over the phone with the business.
  • Store the details of regular vendors in your internet banking, so that you have the correct bank details saved.
SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.