06

Invoice Scams

In the last few days we have seen the rise of more invoice scams. Spear Phishing attacks against accounts teams, pretending to be from the MD requesting money transfers and emails pretending to be from suppliers, containing invoices which are actually Trojans.

Spear Phishing

Spear Phishing attacks happen where an attacker uses public information to attack a specific individual. In this instance, the attacker gained the name of the MD and faked an email address from him then asked a seemingly innocent question to build confidence. The conversation is below:

Attacker:

What is our cut off time and transfer limit for a same day payment? 

Regards

[Name of MD] 

Sent from my iPhone

 

Accounts:

I am not sure.  I need to check with the bank.  I’ll let you know.

[Name of Accounts]

 

Attacker:

Ok let me know once you do. Meanwhile we need a payment of £17,210 made today? Can you handle this right now? Let me know when to forward details.

 

Regards

[Name of MD] 

Sent from my iPhone

 

Accounts:

Yes I can do it now

[Name of Accounts]

 

Attacker:

Ok here are the details:

   

Name: [Name]

Account no: [Account Number]

Bank: [Bank]

Sort code:  [Sort Code]

   

Send me payment confirmation once it is completed.

   

Regards

[Name of MD]

Sent from my iPhone

 

It was at this point the accounts team thought it best to check with the MD. These forms of attack are common but they are also carefully scripted to make it seem like you are talking to the right person. With emails as they are, you can also make the email appear to come from the MD even if the address is wrong. Our recommendation is always to have a second check in place, not using the same method of communication for all payments to make sure they are legitimate.

Fake Invoices

The second scam used a very cleverly designed email to look like it had come directly from QuickBooks online invoicing system. See below:

This looks perfectly legitimate, it is just that the name of the supplier was unknown. When you clicked on the link you would have downloaded a file which contained a Trojan. It should be noted that normally the company mentioned will be a legitimate company and have no knowledge of the email you were sent. For this reason I have removed the companies logo and name from these screen shots.

The only way to really tell that this was a fake email was to look at the link on the View Invoice button. When you did you would see that the bit about downloading a file from someone’s SharePoint account. Whilst this can be perfectly legitimate in some situations, you would not download a QuickBooks invoice from SharePoint.

 

It is hard to tell the fake emails from the real ones. The best advice is to only open emails and attachments if you are expecting them. It is not difficult to fake emails from someone you know so always err on the side of caution and if it is someone you know, pick up the phone and check. If you don’t, there is the potential you could lose out on £1000’s or £10,000’s or in other instances you could lose all your data.