BEC Scam: Fake Invoice and Wire Fraud

Business Email Compromise (BEC) is a common threat to businesses and individuals that has totaled global losses of at least $51B between 2013 to 2022 .? There are a number of BEC scams that impersonate CEO’s or executives at an organization via social engineering with the goal of financial gain through some type of funds transfer such as wire transfers, invoice payments, payroll, and gift cards. ? In this article I highlight fake invoice and wire fraud scams; what the scams are, how the scams are designed and active measures organizations can take to mitigate the impact of these scams.

What Are Fake Invoice Scams?

Fake Invoice Scams are a medium risk / high reward activity for cybercriminals.? The short term rewards are greater than other BEC scams and they become more risky the longer the criminals continue? the scam.??

Like other BEC scams, Fake Invoice scams start with a simple email to a company to pay an invoice - oftentimes from a known supplier of the organization.? However, the banking details are different.? Instead of paying the valid supplier, the funds go to the cybercriminals.??

What are Wire Fraud scams?

Similar to invoice scams, the wire fraud scam starts with an email impersonating executives (CEO, CFO, COO) requesting a wire transfer to a third party immediately. ? The third party can be known to the company but often it is a third party that is not in their standard accounts payable system, hence the need for a wire transfer.?

How the scam is designed

The cybercriminals will start by scrapping names and titles from LinkedIn and cross referencing this with other known breach data to gather email addresses and phone numbers for an organization. They can often buy lists of this data as well. These lists will be reused for a number of BEC scams.?

In some instances, the criminals will take over email accounts at a supplier (via credential stuffing ) and send fake invoices with new banking details to many companies in the hope that some will pay.??

Criminals may try to takeover email accounts at your company in hopes to get access to an executives email which they can use to submit or approve wire transfer requests.??

In more sophisticated cases, they will create a look-a-like domain using typosquatting techniques masquerading as a known good supplier.? For example, criminals impersonate dentons.com , a known global law firm, by using dentonspay.com or dentonspay.net . ?

The messages are often sent to those in the accounting department in the hopes that one employee will take action.? Many of the bank accounts the criminals provide are tied to smaller institutions that don't require many checks to set up an account.? In some cases, the criminals will open accounts under fake identities .???

Criminals can also be employees of your company who have access to approve payments. ??

Other related scams are that the criminals will impersonate your company and send fake invoices to your customers.?

In rare cases, the criminals will repeat the activity such as what was perpetrated against Google and Facebook for a total of $120M ! Once paid, most of these funds are moved quickly into another account and depending on how quickly the fraud is reported, some funds can be returned. ?

How the scam looks?

In the example below, the criminal uses a look-a-like domain for a law firm requesting payment.? The criminals will then respond, impersonating an executive at the company, stating that they approve the payment.??

In this next example, the criminals jump right to the request from the executive requesting the payment.? The image shows the email headers and where the spoofed email address would appear.?

The next example below, the criminals are impersonating a known supplier and asking to change their banking details for this one time - and future - payments.

Ways to detect and prevent these scams

People often hold the recipient of the message responsible as they should carefully check the message for telltale signs of a scam, but I do not agree. Putting the responsibility solely on the recipient is inappropriate and will often fail. Here are some additional controls to help prevent and detect these scams.

• Enforce segregation of duties within your accounts payable team. Some companies do not have the staff to perform this, but where possible,? split the approval and initiation of payment between two individuals.? While not convenient, this will reduce the risk of fraudulent activities.?
• Do not allow email as an authentication method for invoices or wire transfers. ? If you use an automated tool for invoicing approvals, require the approval through the tool from the executive who requested via email.? If there is no other current tool or process, seek a second authentication not from email - such as a phone call or instant messaging.?
• Where possible, limit the dollar amount for daily transactions and singular transactions.??
• Alert and educate your company about this scam at least annually.???
• Have a defined procedure on how to report suspicious emails or text messages.? Encourage your employees to use this procedure often.??
• Purchase and park look-a-like domain names to prevent criminals from using them against you.?

• Email logs should be sent to a SIEM or log aggregator. Alerts should be triggered for email spoofing (mails that look like they are from the company but are sent from outside mail systems).
• Add DNS security tools that block domain categories or known malicious domains.??
• Add a secure email gateway that looks and blocks multiple types of BEC; alerts when messages are received from domains that were recently created; alerts for spoofing.
• Enable the “external email warning” banner to emails.?
• Ensure email accounts and accounting systems are protected by Multi-Factor authentication to reduce the risk of account takeovers.
• Limit your email and account system session time to less than 24 hours.??
• Restrict the use of legacy email protocols, such as POP or IMAP,? or ensure they have additional protections to protect against MFA bypass techniques .??
• Restrict or monitor accounts using automatic email forwarding.?
• Monitor and Alert on changes to your mail server configurations.?

Recovering from fake invoice or wire fraud scams.??

Once identified, the security team, CFO, Controller and legal team should be notified.? The security team should create and document the incident following your Incident Response processes.? Depending on how quickly it was discovered, some financial loss may be recovered (such as your bank not fully completing the transfer or working with the receiving depository for recovery).? Regardless of materiality, you should report the incident to your cyber insurance carrier quickly.??

If any vulnerabilities or gaps were identified during the investigation, those should be prioritized and remediated (such as newly created email accounts). ? Reset passwords/secrets/tokens for any impacted accounts. ? ? Block all indicators of compromise in the email systems (URLs, domains, etc).? Continue to monitor for any additional malicious activities from the indicators of compromise documented in the investigation.?