General security

BEC Attacks: How Fake Invoice Schemes Work

Dan Virgillito
May 10, 2018 by
Dan Virgillito

According to Agari's Business Email Compromise (BEC) Attack Trends Report, 96% of companies experienced BEC attacks in the second half of 2017, mainly because the email-borne attacks didn't include the usual attachment-based virus but comprised a radically more sophisticated form of social engineering. One version of BEC that has helped cyber criminals net over $5 billion is the bogus/fake invoice scheme.

According to the FBI, the bulk of the funds generated via BEC attacks (including the ones involving fake invoice schemes) are transferred to China and Hong Kong, from where they're diverted to other financial firms — or in other cases, casinos. The agency also revealed the use of British banks is on the rise.

If recipients clear the invoice, their company loses funds (and the victim is at risk of losing his/her job). If they get in touch with the adversary, the scammer uses a variety of psychological techniques to add trustworthiness to their claim, ranging from citing additional email threads to having a telephone call, to try and convince the potential victim to clear the invoice.

Fortunately, it's possible to prevent BEC-based fraudulent invoice schemes from causing harm. The counter requires having a good understanding of how bogus invoice schemes function.

The Anatomy of Fake Invoice Schemes

The scheme usually begins with a fraudster breaching the email of an individual who has the authority to manage their company's finances, for instance, someone working in payroll. The adversary then navigates the victim's email, searching for vendor invoices until he/she comes across a legitimate invoice.

Once a legitimate invoice is found, the hacker modifies the detail of the beneficiary, such as altering the routing number to which the amount needs to be credited.

The criminal then spoofs the vendor's address to submit the invoice. The email says the vendor has updated its payment terms and doesn't highlight the new account number. Accounts payable, identifying the name of the vendor and the provided service, proceeds with the wire transfer request.

Why Are Fake Invoice Schemes so Successful?

Fundamentally, security solutions are incapable of stopping BEC attacks in their tracks. Most premier defense solutions are about detecting malicious attachments and phony links. BEC attacks don't feature any links, attachments or payloads. They're all about using psychological techniques to manipulate the recipient's mind, making them trust that the person on the other side is indeed who he/she says he/she is.

Also, cybercriminals leverage the resources present in the cyber underground, including tools that enable them to search for keywords on hacked email accounts and the availability of email lists of C-level executives. Hence, they're able to take some guesswork out of the equation without resorting to high-risk measures that raise their chances of getting caught.

Moreover, adversaries are getting better at these attacks. They're conducting thorough research. They're choosing specific targets. They're classifying the C-level executive chain, the CFO, COO, etc. and who is responsible for what. If it's fake invoice schemes, then adversaries identify the chief staff member in accounts payable.

Best Practices to Identify Fake Invoice Schemes

There are several best practices for identifying various forms of BEC scams and fake invoice schemes. The overarching solution is employee awareness through education, verification of accounts and continual vigilance. Below is a comprehensive list of BEC prevention best practices. It might be impractical for most organizations to implement all measures, but considering those that fall in line with your specific needs will drastically reduce the chances of being breached via the fake invoice scheme attack.

  1. Cross-check the request details with earlier wire transfers to see if the information is consistent — including the recipient's name, account number and city/country to which prior wire transfers were made.
  2. Build effective backchannels so sensitive or high-value requests can be verified. For instance, ensure employees can ascertain any request from the CFO to initiate a wire transfer from a senior manager via an email or text message regardless of where the manager might be.
  3. If access to email isn't required, ask employees to switch webmail off as it eliminates another point of attack for cybercriminals. The same should be done for employees working remotely. If it's essential to grant web access to email, you can secure accessibility by deploying a virtual private network.
  4. Create an official domain for the organization's email rather than relying on an open-source email solution like Roundcube.
  5. If the invoice is from a vendor, see if there's any change in business practice. Were previous invoices posted via snail mail and this one is emailed? Did the current point of contact ask to respond via email whereas all previous correspondence was done via telephone? Were earlier payments done by PayPal and now you're being asked to do a wire transfer?

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Final Thoughts

As businesses rely more on web services such as email, a single mistake is all that's needed to steal from an organization. Hence, enterprises should take utmost care when dealing with invoice-related emails.

Those who've been compromised are encouraged to report the attack to their financial institution, ideally within 24 hours so law enforcement or other concerned institutions have a better opportunity of recovering stolen funds. Waiting more than 24 hours to report a case dramatically reduces the chance of total fund recovery.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.