Security researchers explain how businesses (and their customers) can protect themselves from a new type of business email compromise.
Many of the earlier business email compromises (also known as CEO fraud) involved emails that appeared to come from the chief executive or owner, instructing finance staff to make a payment to a particular account or via a money transfer service.
But SecureWorks' counter-threat unit has discovered a more sophisticated version being conducted by Nigerian and possibly other crime groups.
It works by compromising email accounts used for receiving orders and sending invoices.
The fraudsters quietly monitor the account until a customer asks for a quotation, and then set up a rule to redirect subsequent emails from the prospective purchaser an account under their complete control. That account is used to intercept the resulting purchase order, which is then resent from another account that closely resembles the purchaser's real address.
Eventually, the vendor sends an invoice. The attacker changes the payment information so the funds are deposited into their account rather than the vendor’s, and then laundered through multiple accounts in different countries making recovery impossible.
Neither party may be aware of the problem until the vendor chases the customer for payment.
Seven ways to secure invoices
Both buyers and sellers have a role to play in identifying this type of BEC attack before the damage is done. SecureWorks' suggestions include to:
- Implement 2-Step-Verification for corporate and personal email
- Carefully review wire transfer information in suppliers' email requests to identify any suspicious details
- Always confirm wire transfer instructions with designated suppliers using a previously established non-email mode of communication, such as a fax number or phone number
- Be suspicious of pressure to take action quickly and of promises to apply large price discounts on future orders if payment is made immediately
- Thoroughly check email addresses for accuracy and watch for small changes that mimic legitimate addresses, such as the addition, removal, substitution or duplication of single characters in the address or hostname.
- For organisations that use intrusion detection and intrusion prevention systems (IDS/IPS), create rules that flag emails with extensions that are similar to company email extensions (such as, abc_company versus abc-company).
- Limit the information that employees post to social media and to the company website, especially information about job duties and descriptions, management hierarchy, and out-of-office details.