The Devastating Effects of Invoice Redirection Fraud on a Dublin wealth management firm
Last month, the owners of a Dublin wealth management firm got a rather unpleasant surprise. On an otherwise uneventful Monday afternoon, they got a call from an irate customer enquiring about an invoice which he had received. The invoice pertained to a management fee supplement incurred because of Brexit. The amount was €2,220.58. Shortly afterwards, another customer made a similar enquiry about an invoice which they had also received pertaining to a management fee supplement. By the end of the day, over a dozen customers had contacted them about this supplemental charge. The only problem was, this wealth management firm had implemented no supplemental charge. The invoices these customers had received were fakes.
That Sinking Feeling…
It was now dawning on the firm’s management team that one of their Office 365 emails accounts must have been compromised (hacked). They called their managed service provider who examined the fraudulent emails. It seemed the invoices had emanated from the email account of just one user. When they logged in remotely to the user’s account, they discovered that some of their Outlook email rules had been changed. This meant that some of their inbound emails (those contacts stored in the user’s address book) were being redirected to the hacker instead. This was a clear case of business email compromise, also known as invoice fraud.
The Power of a Cloned Invoice
The invoice (which one of their customers had forwarded them) was a carbon copy clone of the standard type of invoice they usually sent out. The logo was the same and the typeface copied to perfection. The only difference was the bank account details had been changed. On further investigation, they discovered that this invoice was sent out to over 150 of their clients.
Repercussions of the Attack
Some clients had paid this fraudulent invoice. It was, after all, sent by a person they trusted and sent from a trusted email account. They were now demanding reimbursement after discovering it was a fake. Some were also threatening legal action if the monies paid to the scammers were not reimbursed.
In the days following the attack, the firm was deluged with more emails and phone calls from concerned clients. They wanted to know if other financial information of theirs had been compromised.
Unfortunately, some of the clients demanded the return of all their financial files and decided to terminate all business transactions with the firm. Needless to say, this was an extremely distressing event for everyone involved.
Beware False Assumptions about IT Security
The management of this firm believed that anti-malware software installed on their employees’ systems would detect any threats. But while hardware and software security controls can detect a lot of threats, they cannot detect all threats. The management also believed that the anti-spam filter of Office 365 would detect any fraudulent emails. However, social engineering attacks are designed so that the user installs data-stealing software themselves or divulges their email credentials of their own volition.
The management team and their MSP suspected that the employee had either fallen for a phishing scam or had malware installed on their device that stole their Outlook 365 credentials. Either way, a hacker was able to exploit one of their trusted email accounts and hijack one of their contact lists, resulting in financial loss and severe reputational damage.
Enabled Two-Factor Authentication is Useless
Their MSP had set up two-factor authentication (2FA) on their Office 365 platform but this was not enforced two-factor authentication, it was enabled instead. The distinction between “enabled” and “enforced” two-factor authentication is crucial. The former means it is optional for the user whereas the latter means it is obligatory.
The hacker was able to change the email rules in Outlook so that the emails would get redirected to him. Every user in this firm had global admin rights. This was a big mistake because, in the case of compromise, too many admin rights will give the miscreant way too much latitude.
The user who got compromised was using a very weak password which was basically a concatenation of the names of their two children. This password did not have enough entropy to make it secure, making it vulnerable to brute-forcing attacks.
The most effective way to prevent such an invoice redirection fraud from happening to your organisation
Perhaps one of the most effective ways of preventing social-engineering attacks, such as invoice fraud, is by training your employees how to detect and mitigate such attacks. Effective IT security awareness training trains your users to detect and mitigate attacks which can’t be detected by your security software or company firewall. They are shown real-life examples of current threats in circulation that are deconstructed to make them fully aware of the tactics used by hackers which can blindside even the most technically sophisticated users. Effective training conditions your workforce to think like a hacker and makes them aware of the security implications of everyday IT tasks in a totally different way. A collective change in IT security behaviours amongst your staff will result in a greatly enhanced security posture. This results in:
- Less risk of financial loss
- Less risk of customer attrition
- Less risk of reputational loss
And of course, it helps you sleep a little sounder at night.