Invoice emails are the new Trojan horse

They are an everyday part of business, but invoice emails are the latest vehicle for tricky fraudsters and are getting increasingly hard to detect

Receiving an email request from a co-worker to pay an invoice happens every minute, of every hour, of every day. So do fraudulent ones. Online criminals are increasingly targeting those who hold the corporate purse strings. Working from home during the pandemic, the finance department has been rich pickings for so-called business email compromise, or BEC, a type of fraud that costs billions.

The surge in targeted chief executive or chief financial officer fraud, as it’s also known, has seen cybercriminals exploit the lockdown with coronavirus-themed campaigns that trick unsuspecting employees. According to Abnormal Security, during May there was a 200 per cent spike in the United States, where it accounts for half of all cybercrime-related financial losses. The FBI Internet Crime Report puts the cost at $1.77 billion a year. The UK is not immune and is second in the world after America in terms of the number of attacks.

“Many criminals are exploiting the fear and confusion stirred up by COVID-19. We’ve seen them impersonating senior members of company staff who then intimidate employees into making urgent payments. We’ve also observed con artists contacting businesses claiming to be government officers administering special coronavirus-related tax grants,” says Amanda Finch, chief executive of the Chartered Institute of Information Security.

Why business email compromise works

As digital cyber-defences get more sophisticated, business email compromise continues to slip under the radar. That’s because the perpetrators don’t need to be expert programmers or whizzy malware authors; they don’t need to be elite hackers or past masters in network intrusions.

“What they do have is patience, persistence and advanced-level skills in social engineering. In old-school terminology, you’d call them confidence tricksters,” says Paul Ducklin, principal security researcher at Sophos.

What cybercriminals do have is patience, persistence and advanced-level skills in social engineering

“The idea behind this crime is simple: get hold of the email password of someone important in finance, read their email before they do, learn how they operate, find out what the company is up to and when big payments are coming up then misdirect employees, creditors and debtors. Once the operation is up and running, they aim to keep the misdirection going for as long as possible by mixing social engineering skills with insider knowledge.”

Uncertainty among staff is a key weapon for this type of scammer; leveraging trust is their preferred method, as well as using spoofed compromised accounts, stolen credentials and malware to get inside email accounts. BEC attackers don’t need to crack passwords themselves to gain entry into servers either, they can buy them from other criminals on the dark web.

Beware of deepfake CEO fraud

Insurance claims received by Aviva highlight the seriousness and increasing complexity of business email compromise attacks. “One corporation was alerted to a bank transfer following an engineered call from their CEO, which was generated using machine-learning to recreate the call using the CEO’s voice,” says Patrick Tiernan, Aviva’s managing director of UK commercial lines.

Deepfake technology is the latest frontier for this type of fraud. Images, voice and video can all now be replicated accurately. With so many people working remotely as a result of the pandemic it means employees are less able to verify legitimate requests. Combine this with scams that cite the impact and urgency of the health crisis and you have a perfect cybercrime storm.

“Many criminals who breach as a side job were forced to work from home or their shifts were curtailed throughout lockdown, leaving them with more time and motivation to make up their income elsewhere,” says Matt Aldridge, principal solutions architect at Webroot. “This is a toxic cocktail for increased attacks.”

Since most attacks follow a simple pattern, employees can be trained to spot less sophisticated ones, although some training programmes were stopped during lockdown. Simulated phishing exercises help, as does multi-factor authentication and DMARC, an email authentication protocol.

“Enforced re-logins from different network environments and regular password changes can make a difference,” says Fiona Boyd, head of cybersecurity at Fujitsu. “But all the training in the world cannot help employees to spot something suspicious if an instruction is received from a senior executive’s email address.”

Behaviour-based tech is a saviour

The biggest defence against business email compromise is therefore behaviour-centric cybersecurity solutions. Technology is now better at spotting people’s actions that aren’t quite right. “It’s only when users begin acting out of character or in ways contrary to policies that businesses will begin to spot threats in their early stages,” explains Audra Simons, director of Forcepoint Innovation Labs.

Technologies such as machine-learning can now help detect unusual behaviour, relationships or content that pops into employees’ email boxes. Data science then decides whether an email is an attack or not. It is a new line of defence against BEC fraud.

“Some solutions model the behaviour of cybercriminals with threat intelligence to detect email attacks. We model the behaviour of individuals and organisations, and then determine whether an email is an attack, if it falls outside a particular baseline of activity,” says Kenneth Liao, vice president of cybersecurity strategy at Abnormal Security.

“We have to remember that these attacks leverage social engineering tactics and do not use malicious attachments or links. This approach slips by all traditional security controls that look for threat indicators, which don’t actually exist with these attacks. So many organisations have given up on addressing this problem and point to security awareness training as the solution. This is unfortunate because there is now new technology that can address these attacks.”

Aside from people and tech, there’s a third line of defence: processes. These can go a long way to combating this type of fraud. Those companies that rigorously get everything countersigned, with strict controls in place, with second or third opinions needed before payment are at an advantage.

“It is worth revising your accounts payable and receivable to include cross-checks at every stage where payments and account changes are involved. If in doubt, don’t give it out,” says Ducklin at Sophos. Certainly, there is no single approach that will guarantee protection against business email compromise, but at least there are now a lot more tools.