Companies across the globe are increasingly falling prey to a form of cyber attack that involves them receiving an invoice that is realistic enough that most employees think it is genuine. This is a digital take on an old fashioned scam that involved bills being mailed or faxed through.
You have probably already come across amateur versions, like emails instructing you that a domain you own has expired, only for it not to be from the hosting service you use and your domain is not due to be renewed. Newer versions of these cyber-attacks have been improved so that they look realistic and are even from businesses you use. All of the grammar, spelling and logos are accurate and they may even include authentic work or invoice numbers.
Often the sender name used on the email will match the contact details you normally associate with the company, or it may even refer to a co-worker. This is because modern hackers and criminals working on the internet can accurately spoof actual people and accounts. Although it is obviously deeply concerning they know about your company and its operations enough that they can disguise themselves effectively, cyber-attacks of this kind rely on you not being aware it is happening or that it is even possible. As a way of giving you a heads up, here are a couple of the main invoice-style attacks that cybercriminals use:
Instead of a grab the cash-style attack, this form of cybercrime involves asking one of your team members clicking on a ‘download invoice’ link. The email you receive could even resemble accurately the kind used by Xero, Quickbooks and other reputable accounting software. This can make them seem legit.
Malware is downloaded though, once they have clicked that can either trigger data beaches or ransom-ware. Most anti-virus software suites that are regularly updated should block any attack that gets that far. However, there is no guarantee. Particularly with undiscovered or new malware. Malware that successfully breaks into your system, embeds itself deep and can stay there until it is either activated or detected.
This comes in two main forms – as a phoney invoice that includes a payment link that redirects you to a new banking or financial account or one that outlines that a payment is due to be made into a specific account. There may even be a seemingly helpful note regarding the new account details.
The person in charge of the account thinks they are not doing anything wrong by paying the invoice and as a result pays the money into an overseas account. The main issue with this style of attack that often you don’t find out you have been scammed until either the transaction is red marked during an audit or the real supplier sends an invoice. Unfortunately, regardless if you catch this quickly enough, because this involves international accounts, it is highly unlikely you will get the money back once it has been sent.
Key to keeping your business safe is being aware that these attacks exist. You can minimise the risk by ensuring spam filters and anti-virus software is up to date, as this may stop emails reaching your account. Next, it is recommended that you put in place some specific processes concerning payments.
This could involve phone calls to verify account changes, to the original number you have on your records, meticulously checking work orders against invoices, the appointment of one administrator to avoid too many people having access to your accounts or even using a form of two-step authorisation for making payments.
Even simplistic checks such as moving the cursor over any links to ensure they look right can avoid trouble.
Most of the companies that work with yours will be just as careful so if something doesn’t look right about an invoice, don’t pay it until you have checked it. Although these phone invoice cyber-attacks are on the rise, you can prevent your business from being affected by knowing what to look for and not letting the criminals win.