Company-X director David Hallett exposes the world of targeted online fraud and the risks that it poses for local businesses.
Some may assume that working in a Waikato-based business would mean the risks of international fraud are negligible. Unfortunately, this is an assumption which, due to the global nature of the internet, is a naïve position to take. During the month of May, NetSafe recorded 912 incidents and $1,808,131 in losses across New Zealand, and during June, NetSafe recorded 995 incidents and $412,081 in losses across New Zealand, primarily reported by NZ Police and Ministry of Business, Innovation and Employment’s Consumer Protection.
NetSafe is an independent non-profit organisation, formed in 1998, focusing on online safety and security, which was recently appointed as the Approved Agency under the Harmful Digital Communications Act.
NetSafe routinely receives reports from New Zealand businesses about fraudulent email requests for payments to be made to bank accounts or via money transfer services. Often these requests can be accompanied by fake or modified invoices from known suppliers.
The volume of these business email scam reports has increased over the last 18 months with three different common formats becoming known as Business Email Compromise (BEC).
The scam can affect any size business that handles ordering, invoicing and payment requests via email and where staff may make assumptions about the identity and authenticity of requests received.
Messages can be of a random nature, sent out as part of a large spam mailing, or can form part of a well-crafted social engineering campaign to extract money after attackers have ‘fingerprinted’ an organisation, gleaning useful information from websites, compromised email accounts or from social media sites including staff profiles on LinkedIn.
Te Awamutu-based Te Wananga o Aotearoa, the country’s second-largest tertiary institution, fell victim to a business email compromise (BEC) scam last year, when their chief financial officer transferred $US79,000 into a Hong Kong bank account after receiving an email appearing to be from the chief executive directing the money to be sent.
The New Zealand Fire Service was scammed out of $52,000 in November 2015, which at the time said that “the scam involved email correspondence, ostensibly in the chief executive’s name, to order the transfer of funds to a Turkish bank account.”
The Federal Bureau of Investigation (FBI) published a public service announcement in June, warning businesses of a growth in BEC scams, “[t]he BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.”
Complaints filed with the FBI and other international law enforcement agencies suggest that business email compromise scams have victimised over 22,000 businesses and caused approximately USD$3.1 billion in losses.
“The victims of the BEC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted.
It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment.”
NetSafe has published a list of recommended actions that can reduce falling victim to BEC.
• Be cautious when you receive emails requesting urgent or confidential action must be take.
• Examine email sender details carefully, watching for similar domain names or characters that have been swapped for other letters, for example using a zero instead of the letter ‘o’, or the numeral 1 instead of the letter ‘l’.
• Forward email responses instead of hitting ‘reply’ so you can type out the genuine email address for a supplier you communicate with.
• Ensure staff handling payments are trained to recognise suspicious email.
• Put in place a ‘two-man rule’ around signing off transactions and set transfer thresholds.
• Confirm new invoice details with suppliers using a phone number known to you, not the one on a suspicious invoice.
If you or your company have paid money following receipt of a fake or spoofed invoice, then contact your bank immediately for assistance.
For more information about online fraud, or assistance with a situation, you can phone NetSafe on 0508 NETSAFE, or email firstname.lastname@example.org.