I have written previously about CEO fraud where employees receive an email which appears to come from a company executive directing them to erroneously wire money to an overseas bank account. Now, fraudsters are redirecting their efforts to a new internal target: accounts payable.
According to IBAN, the scam works this way:
- The fraudsters intercept emails or compromise email accounts within the target company.
- After monitoring communication, they either send a fake invoice or altered existing invoice to the accounts payable / billing department.
- The attackers then replace the IBAN /Bank Account of the recipient company in the invoice with their own IBAN / Bank Account.
- The target company's accounts payable unknowingly processes the faked invoice and send the funds to the scammer's bank account.
In some cases, the CEO's email account was compromised and emails from his account were sent to the billing department. This didn't seem out of the ordinary, which made the deception easier to pull off. Also, because bank wire payments take several business days to complete, neither the target company who sent the payment nor the one receiving did not realize that the expected funds were unavailable in either account.
Finally, since these types of scammers open bank accounts registered to individuals who are often on the margins of society (e.g. the homeless, even criminals) and immediately withdraw the money once received, tracking the scammers is problematic, if not impossible.
Inside a $6 Million Scam
According to an alert produced by the Banking & Payments Federation, the email generally contains a letter purporting to notify the receiver of new (amended) bank account details to which all future payments are to be sent.
The letter may also include a change in the name of the individual with whom the receiver has been working. Or, it may include a slight variation to that individual's email account, which of course will ultimately wind up in the scammer's inbox rather than the usual individual with whom the accounting contact has previously worked.
Another telltale sign: the bogus invoice may look like it was printed on company stationery; however, it was more than likely scanned onto the fraudster's paper stock, resulting in company logos that are less crisp and even blurred.
The efficacy of this type of invoice scam was proven by a recent lawsuit filed by a New York based commodities firm alleging a financial services software firm showed "an egregious lack of diligence and care" when their employees fell for one of these email invoice scams that ultimately led to hackers stealing $5.9 million.
Among other claims the suit alleges that the financial services firm didn't follow their own policies and procedures that enabled the theft to occur in the first place but staffers actually helped the cyber thieves by fixing transfer orders that had initially failed. (Can you say aid and abet?)
And all this fallout and follow through despite numerous and obvious inconsistencies such as:
- The use of an email account that spelled the commodities firm with three "Ls" instead of two
- Emails rife with awkward syntax and grammatical errors that were "wholly inconsistent" with previous communications and, in some cases, "unclear in substance."
While the finger-pointing between both firms soldiers on and the $10 million in damages and legal fees is being sorted out, the upshot for all security IT professionals (and for individuals in the C-suite), is to always be vigilant. In fact, all the aforementioned red flags should have been caught by employees, if they had they been properly trained to adhere to corporate procedures, especially when the situation involves millions of dollars in transactions, as it does in this case.
Stopping the Next Money Mule
These "invoice fraud" and CEO fraud scams are very hot at the moment for fraudsters. Even the best anti-fraud tools can't prevent this type of fraud as they are technically "approved" transactions coming from individuals authorized to initiate them. While employee vigilance and awareness are critical to helping organizations avoid falling victims to these scams, on the other side is the ability of financial institutions to shut down the very operations that enable the money to be funneled out in the first place via mule accounts.
At the heart of every cyber security scam is a money mule, perhaps the most critical piece in enabling cash out across the fraud supply chain. Whether recruited through traditional means such as false job ads or new accounts set up using stolen identity information, without mules, a cybercriminal would only see a fraction of success. After all, stolen funds have to be directed somewhere. Where does the banking industry begin in stopping the next money mule? Shared fraud intelligence is a start.
The RSA eFraudNetwork is a great example of a shared intelligence network that directly integrates within our fraud detection platforms. There is a myriad of valuable fraud data collected by the eFraudNetwork, one of which is mule account numbers. Mule account intelligence is collected from a variety of sources including existing customers and our own fraud intelligence investigations. The data is then fed into the eFraudNetwork which integrates directly with the RSA Risk Engine. If a transaction or transfer is attempted to an account identified as a mule account by the eFraudNetwork, the transaction can be challenged for additional verification, flagged for further investigation, or blocked by the organization.
Payment and money transfer fraud is an issue of concern for every financial institution, yet difficult to identify internally. According to Europol, more than 90% of transactions involving money mules are linked directly to cybercrime. Insight into known mule accounts can help banks prevent losses from fraudulent transfer requests to other banks, but also shut down accounts that may have been set up to prevent the flow of fraudulent transfers through their organization. Taking down this network or making it more difficult to recruit mules and establish mule accounts is perhaps one of the most impactful actions fraud defenders can take.