Fake invoice emails

Fake Invoice Emails

Published 2 May 2018 - 2:18pm

Recently at Nexus IT we have been notified by some business customers about fake invoice emails being sent out requesting funds to be sent to a specific bank account.

To help put into light how big and serious this is, these sums have not been small, they are in the tens of thousands of pounds!

Now you may be reading this wondering how anyone would fall for such a thing, however sadly there are criminals out there getting away with this particular type of crime. The term given to this criminal cyber activity is called spearphishing (phishing with spoofed emails).

What is email spoofing?

Email spoofing is when an email is sent with a forged sender address. A real email address is used but the message is actually sent from a malicious server or a server that has been hacked.

Because the main email protocol does not have an authentication system in place, this method is common for phishing emails to use to deceive the recipient.

How it happens

The cyber criminal usually takes the identity of a director or decision maker within an organisation and sends an email to the accounts payable department with bank details for where to send the funds to, with an attached invoice from a legitimate supplier.

In one case reported to us the fraudulent email said “please send payment to our new bank account….” followed by the sort code and account number.

Case Study

Last year Nexus assisted with a case where funds of around £50,000 were transferred to a fraudulent bank account.

The business who sent the funds to the bogus account were expecting to receive a large invoice from one of their contractors so when they received the email it came as no surprise that they were being asked for payment.

The amount requested was correct so they had no reason to believe it was not a genuine email.

Our investigation led us to believe that the company who was targeted in this particular case had been hacked. We were asked to provide evidence that the company that sent the large payment had not been hacked and that the business who was sending out these supposed emails were the ones who had infact been targeted.

Advice on how to protect yourself from spoofed email scammers

  • Always telephone the person you are intending to send payment to.
    Confirm with them the amount and bank details prior to sending any monies. Certainly do not ask them to verify any of this information by email because if you are being targeted you will be communicating with the fraudster!
  • Ensure you have paid anti-virus protection on all computers and if you have a server the same applies. Although anti-virus won’t protect you from users responding to fraudsters payment requests, it will help protect you from viruses entering your system.
  • Regularly change all your passwords and keep this information confidential. Do not share your passwords with anyone. The more complex your passwords are the better!
  • Think carefully before making an instant decision. Read every email cautiously and don’t rush to send a payment without double checking first. Remember to call up the person directly prior to sending any sum of money.
  • Always check the sender of the email. In most cases the criminal will try to mirror the legitimate email address as best they can. Spotting signs of spelling errors is a tell-tale sign.

Here are some examples:

If for instance you normally communicate with someone called james@xyz.com and the email you receive is from jamess@xyz.com it’s easy for you to skim past this without spotting an extra s has been added onto the end of James.

Another example:

accounts@thedeliverycompany.com
accounts@the-deliverycompany.com

The simple addition of a hyphen can easily go unspotted!

Summary

We hope the above information has been helpful. Always be assertive and cautious with every email you receive and we hope you stay safe online!

Leave a Reply

Your email address will not be published. Required fields are marked *