Sneaky devils – how insecure email led to a $150K loss

Recently I was lucky enough to spend some time with a group of my Ozzie peers.  One of the things we did was share problems and solutions. During those discussions, I heard of the following hack.

This is not a made-up story. It is true and I know of similar fraud in NZ.


The IT Company I was talking to had a smallish client.  They had five employees and their biggest cost was shipping/transport, with around $AUS150,000 a month spent with one supplier.   As expected, the monthly invoice arrived and $160,000 was paid into the requested bank account.  The following week they receive a polite phone call asking why that month’s invoice was unpaid.

How did this happen?

It started with an email account being hacked.  In this case it was the supplier’s email account.  But I also know of examples where it was the victim’s account that was hacked.  The hackers read through all the emails and found the recurring pattern of monthly invoice and payment.  They then faked an invoice, adding a new bank account number to it.  Before executing the scam, they added rules to the mailbox which would hide all legitimate emails between the supplier and client.

Execution was simple.  They sent the invoice requesting payment to the new bank account, as if it came from the supplier, using their email system.  The ‘sent’ email was hidden, as was the response confirming payment. The money was paid into an Australian bank account.  Upon receipt, it was transferred out of the account and the country within minutes.

What can you do to protect yourself?


Process.

Every company should have a policy around confirming changes to bank accounts.  Kinetics recommends that process includes a phone call, as relying solely on email leaves you exposed to this type of scam.  (With access to the mailbox, the scammer controls any email conversation.) This policy must be strictly adhered too.  There is a very similar scam where the CEO’s email is hacked or copied, and used to instruct accounts to transfer money to a new account.

Monitoring, reviews and awareness.

This fraud starts with a social engineering and then makes use of legitimate features inside mail systems.  The signs of an issue can be slight and difficult to spot.  To tackle it, we need to be looking in multiple places for trends and changes that add up to something new.

The primary reason for my trip to Australia was to share and gather ideas on security.  Kinetics is developing new initiatives around security.  Fraud has become more targeted and social engineering more lucrative.  New systems and tools are needed to safeguard users as well as data.  Some of these new tools are already in use and others will be available shortly.  You can expect to hear a lot more about security over the coming weeks.

 

Bill Lunam is Kinetics Groups Operations Manager.  Bill has over 25 years of IT experience and is passionate about IT for SME business.