Is your email protected against fake invoicing?

 
As human nature goes, many organizations don’t really address security issues until a breach occurs. As a result, we’re often called in to do post mortems and help companies devise newer, better security approaches. Suffice it to say, we’ve seen our share of both known and emerging threats to cybersecurity. There is one particular breed of malware I’m seeing all too frequently these days: fake invoicing.
 
It goes something like this: one company — let’s call it Strategi Corp — calls a customer — we’ll call them Incred Systems — to follow up on a pending balance of $20,000 for services rendered. The call comes as a surprise to Incred, because they had already paid that invoice in full. After some digging, they discover that Incred’s payment was actually wired to a bank account that did not belong to Strategi. How did this happen, when the payment instructions were written clearly, right on the invoice?
 
At this point, we have been called in to investigate. First, we dug through Strategi’s email logs and tracked the PDF invoice that was sent to Incred. There were no issues there, so we were able to deduce that the breach occurred somewhere in Incred’s domain. Further analysis revealed what had actually happened: the accounts payable employee at Incred had had their email login credentials compromised at some point—likely through a phishing incident.
 
A hacker could have accessed the account from anywhere in the world and set up a forwarding rule on all of the emails to be sent to their Hotmail address. Then, all they would have had to do was wait for the right opportunity to capitalize on this access—no doubt, a $20,000 invoice would have seemed like a solid payoff.
 
Upon receiving that invoice from Strategi, the hacker made a copy of it using their own wire information, deleted the real email from Incred’s inbox, and re-sent the email to Incred with a spoof of Strategi’s email address. Thus, to Incred, the invoice looked legitimate.
 
In this incident, each company had a unique set of concerns that needed to be addressed. Strategi recognized that the PDF was doctored, but they weren’t sure if it had happened while it was still in their own system or after arriving in Incred’s system. This was important, because Strategi needed to know if their other customers might have been affected. Incred was concerned with what else the hacker might have had access to, how long such a breach had gone undetected, and if every other invoice that was sent to them had also been doctored.
 
After completing this postmortem, both companies asked us how this could have been prevented and what they could do to make sure it never happened again. The first thing we recommended was enabling multi-factor authentication (MFA) on all their Office 365 services to prevent stolen passwords from being used so easily. This is such an effective deterrent that I’m shocked at how many companies fail to implement it! We already use this method to take cash out of ATMs — you not only need your bank card, but a PIN to process the transaction. MFA is another safety net you can put in place to ensure that even if a password is compromised, you won’t give cybercriminals the keys to your entire business.
 
Another measure that companies should consider is globally disabling email forwarding to external email addresses on Outlook. Most of the time, this isn’t necessary in the first place, and it’s simple enough to change the rules to block it from occurring at all. If you don’t want to do this, it’s relatively easy to create a regular report of all your users’ Outlook rules. Have someone at your company review these to catch any suspicious changes if and when they occur.
 
Finally, and perhaps most importantly, user education is critical for boosting awareness and understanding of social engineering and phishing attacks. While there were certainly a number of technology drivers to security that were not in place in this example, it was also apparent that the initial breach occurred at the human level. Teaching employees to identify potential threats in their inbox is a necessary layer of protection, and in many cases acts as a first line of defence. At the end of the day, the best cybersecurity strategy should address both the technology and human aspects of the equation.
 

Vadim Vladimirskiy is the CEO of Nerdio.