Gardaí have reported a sharp increase in the number of invoice redirect and CEO fraud-style attacks on Irish businesses in the last few months. “We are getting a couple of cases every week now”, according to Detective Superintendent Pat Lordan, who said that both small and large companies are being hit for amounts ranging from €10,000 into the millions.
The Garda National Economic Crime Bureau has issued a fresh warning to businesses on the back of this increase, as recently two Irish companies have been taken for a combined sum of over €600,000.
In one case, a business received a request from a known vendor to update their account payment details. Unbeknownst to the company, the request had actually come from cyber criminals who had successfully spoofed, or faked, the email address of the vendor, and then sat back and waited for the next transaction to occur. In the end, the criminals made off with more than €200,000.
Another Irish company fell foul to a similar scam as well, transferring $500,000 (over €450,000) into a bank account controlled by criminals who promptly transferred the ill-gained funds abroad. Luckily, after spending almost a week outside Garda jurisdiction, the funds were able to be identified and recovered, however this is often not the case and many companies are forced to bear the brunt of their mistakes.
A Change in Tactics from Criminals
Cyber criminals have been opting to target users instead of trying to bypass complex security systems for years now, using social engineering techniques to manipulate the human element in their target organisations and taking advantage of a general lack of training and awareness by staff.
Often the requests come from genuine email addresses, not the mispelled, typo-ridden phishing emails we are used to seeing from petty hackers, lulling financial staff into a false sense of security. However, email is a form of electronic communication much older than the secure, authenticated messaging systems found in modern apps and websites, and is inherently vulnerable to being spoofed by those with a little bit of knowledge and the correct tools.
The advice from the Economic Crime Bureau (which matches what the cyber security community has been saying for years) is to never trust email for transfer requests such as these, and always ensure you verify the legitimacy of the request via another means, such as picking up the phone to a person in that organisation you are familiar with and asking them to confirm the request. Never dial the number in the email that made the request, as this could result in you calling the criminals themselves, but instead look up the publicly available contact number or use a contact number you have previously used and know to be genuine.
Gardaí also warn that such fraudulent requests can be made via letter or phone, so it is always best to confirm via two methods to ensure the funds are going to the correct place.
In addition to these invoice redirect scams, another alarmingly popular method of stealing the hard-earned cash of Irish bussinesses are CEO fraud-style attacks, where criminals spoof the email address of someone highly ranked in your own organisation – typically the CEO or CFO. They then request an ‘urgent’ transfer of funds be made, often saying they are in a meeting or otherwise occupied in an attempt to prevent you from contacting them directly to confirm the request.
The Best Ways to Prevent Invoice Redirect or CEO Fraud
There are two main ways that companies can combat scams such as these: procedures and training.
When it comes to procedures, it’s important that rules are in place which naturally prevent such requests from being completed without the necessary verification taking place. It should be company policy that all transfers of funds to new accounts be confirmed by at least two methods (ie. email and phone/in-person) to prevent cyber criminals from taking advantage. That way, if financial staff do get an ‘urgent request from the CEO’, they will instantly recognise that it goes against company policy and be suspicious.
The other means of preventing your cash ending up in the wrong hands is to simply arm staff with the knowledge of what is out there to get them, so that they are able to recognise a broad range of symptons that may suggest something is fishy.
Human error is still a key factor in the vast majority of data breaches worldwide, with cyber criminals investing heavily in social engineering – the act of manipulating users into taking an action that will hurt them or their organisation. Phishing is one of the largest attack vectors used to attack companies, and relies on staff being unable to recognise social engineering.
While losing out on money to a hacker in an invoice redirect scam is certainly scary, there are other consequences that companies leave themselves open to by not ensuring their staff are trained – data breach fines and severe reputational damage.
Almost a year and a half since the GDPR came into effect, we are starting to see simply staggering fines handed down to companies who were believed to be negligent in protecting their staff and customer data. The GDPR itself states that any staff member with access to sensitive data (these days, that is everyone) should be appropriately trained, with data protection authorities using their own discretion to decide the size of a data breach fine based on how prepared or otherwise the organisation was for such an attack. Surveys have consistently shown that when data breaches occur, consumers tend to lose faith in that company’s ability to adequately protect their data.
Training your staff is essential in today’s world, and one of the first questions that will be asked by data protection authorities should a breach occur.
Train Your Staff, Then Test Their Knowledge
At Tech Guard, we have watched these trends in the industry and place heavy emphasis not only on training for staff, but on actively testing their knowledge with simulated phishing emails. Our security awareness testing and training service takes a data-driven approach to reducing an organisation’s risk, first taking a baseline percentage of how phish-prone they are before rolling out initial training. We then continue to phish users on a regular basis, with shorter training modules rolled out across the course of the service in order to keep staff up-to-date on the latest threats they may face, and ensure security is kept top-of-mind.
This approach is not only proven to reduce risk, but provides you with a clearly-documented risk reduction that can be shown to data protection authorities should the worst happen. Talk to us today for a demo or free trial and give yourself some peace of mind.