False Billing email scams are hitting the Strata industry hard.
The act of using a disguised email to trick the recipient into believing the message is a legitimate request, otherwise known as phishing, is costing strata businesses hundreds of thousands of dollars.
The attacker pretends to be a real person or business that the receiver would normally transact with which makes the request plausible. Dating back to the 1990s, phishing is one of most widespread forms of cyberattack. These fraudulent acts are common practice in the high-tech world of business today, with access to information readily available on social media and your own company websites. Here the attacker uses this information and spoofs your identity to defraud you, your employees, customers or partners, of money.
False billing is one of the biggest issues of phishing faced by businesses in general with over $1.7 million lost by this method alone in the first quarter. Phishing is usually done by email where invoices have been forged to look like legitimate business transactions. StrataMax saw at least six cases in phishing scams within our client base in the last financial year, totalling over $200,000 in lost funds to clients. Most cases involved transfers to a compromised bank account that the fraudster uses to funnel funds before transferring or withdrawing. In these cases, it is very difficult for banks to recall the funds once the payment has been made, and this is the reason the attackers use this method.
Social Engineering to obtain this information has been made even easier for these attackers with the abundance of information on company websites and social media. LinkedIn, for example, will list who is who within a business so the attackers have the details of senior executives and those in the roles that would have the responsibility of instructing and making payments. The scam is then aimed at that contact who has the capacity to pay invoices, is made to appear that it is coming from the senior executive and is usually sent in an urgent context.
To protect your business from these phishing scams, consider a two-step authorisation process for payments over a certain threshold, e.g. verify payments greater than a certain stipulated amount over the phone before authorising transactions and ensure that you verify any change of account details directly with the supplier. Always be aware of emails requesting money transfers and call for verification. Do not just rely on email responses in any circumstance.
We are currently seeing a spike in these phishing scams, with attackers seeing the Coronavirus as an extra opportunity to exploit people working remotely and use this vulnerability to their gain. When working from home, ensure staff are working on secure devices off a company server and are working on company email addresses and not personal ones. Ensure that all staff communicate on these company addresses only and that they are aware if communication from senior staff comes in via other means that these are not to be trusted. Use a mail filtering product like Mailguard that can capture dangerous emails and flag emails from external sources.
Times are changing and businesses need to ensure that your team is aware of potential risks and that you have the technology and knowledge to protect yourselves – financially and socially distanced.
Reference : Data quoted is based on reports provided to the ACCC by web form and over the phone.