In August we all heard about Team NZ falling prey to a $2.8 million invoice payment fraud. It was the now-familiar story of a fake or hacked email, asking for payment to go to a different bank account. We should all be familiar with these tales by now. I’m sure that by now every business has in place a process for checking the validity of such a request.
In 2019, RNZ reported this type of fraud as the third most commonly reported online lawbreaking in NZ. At the same time, the FBI said that globally incidents had doubled from the previous year. Nevertheless, as the Team NZ story shows, companies are still falling victim to it.
It still cost the victim $50,000. Without the insurance the cost would have been significantly higher. This business had a process in place and the process was followed. What was the lesson to be learnt?
They followed their standard processes when they received the branded email asking for payment into a different bank account. They confirmed the contact details by checking the supplier’s website. Then they called the contact and received the verbal collaboration of the request. The catch was that the website link they checked, was the one they took from the email. That took them to a fake site which confirmed the fake phone number on the email. Unfortunately it meant they called the scammer for the confirmation.
Technically there are things that can be done. SPF, DMARC and DKIM are standards designed to identify senders and protect email from alteration in transit. To be successful they do require that both the sender and receiver have them fully implemented. If the senders email account had been breached, these techniques may not help as the source will be genuine.
People play a major role in protection from this type of fraud. You need good process, and that has to be followed and it has to be regularly reviewed. Training and awareness also play an important role. Because people are involved, the training needs to be regular and recurring. To avoid fatigue, a mixture of learning types is recommended. These could include experiential (phishing testing), E-Learning, presentations, on demand videos.
The flip side is protecting your clients from being defrauded in your name.
Recently we heard about an incident which resulted in a cyber-insurance pay-out.
It still cost the victim $50,000. Without the insurance the cost would have been significantly higher. This business had a process in place and the process was followed. What was the lesson to be learnt?
They followed their standard processes when they received the branded email asking for payment into a different bank account. They confirmed the contact details by checking the supplier’s website. Then they called the contact and received the verbal collaboration of the request. The catch was that the website link they checked, was the one they took from the email. That took them to a fake site which confirmed the fake phone number on the email. Unfortunately it meant they called the scammer for the confirmation.
Technically there are things that can be done. SPF, DMARC and DKIM are standards designed to identify senders and protect email from alteration in transit. To be successful they do require that both the sender and receiver have them fully implemented. If the senders email account had been breached, these techniques may not help as the source will be genuine.
People play a major role in protection from this type of fraud. You need good process, and that has to be followed and it has to be regularly reviewed. Training and awareness also play an important role. Because people are involved, the training needs to be regular and recurring. To avoid fatigue, a mixture of learning types is recommended. These could include experiential (phishing testing), E-Learning, presentations, on demand videos.
The flip side is protecting your clients from being defrauded in your name.
- We strongly recommend using Multi-Factor Authentication (MFA) on your email.
- We suggest having alerts on any unusual behaviour,
- If you can, restrict login access by location (e.g. so you can’t login from anywhere outside NZ/Australia – given that no one can travel right now, this is quite practical for most kiwi businesses.
- Use password vaults and complex unique passwords.
- Kinetics have our Kambium learning service that can help with the all-important processes and training.
- KARE for Security covers the technical and includes phishing testing and recurring awareness training.