An IT provider noticed that one of its clients was receiving emails pretending to be a recognised supplier.
The emails contained fake invoices and were attempting to trick the client into paying the invoiced amount into the attacker’s account.
The affected business investigated and discovered that the emails and fake invoices had been sent to people within the business and to some of its external customers.
The emails seemed legitimate. For example, they included knowledge of recent goods requests and costs. However, there were small differences in the email addresses which staff picked up on before any payments were made.
The business discovered that an employee’s email account had a simple password, making it easy for the attackers to gain access and forward emails containing words like 'account', 'invoice' and 'pay' to an external address belonging to the attacker. These emails allowed the attackers to gather information about the business’s billing cycles and behaviours, helping the attackers to create invoices that looked legitimate.
The compromise went unnoticed for at least six months as the attacker was deleting the forwarded emails from the employee’s account.
CERT NZ analysed the detail from this report and others, and published an advisory about:
- the extent and nature of invoice scams
- how to protect against them, and
- what to do if you’ve received a fake invoices.
Advisory: Invoice scams affecting New Zealand businesses
CERT NZ recommends these simple steps to protect your business:
- Strengthen your email account security – by keeping your software and systems up-to-date and using strong, unique passwords for each account.
- Secure your network – especially when using systems that can be accessed remotely (including remote desktop protocol (RDP). Use strong, unique passwords and enable two-factor authentication (2FA) where you can.
- Review your business processes – ensure that your processes don’t rely solely on email. Verify payments to new or different accounts by phone before making the transaction. This can help prevent losses.
- Protect against email spoofing – this is when attackers send you emails pretending to be from legitimate businesses. Protect against this with solutions such as DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
CERT NZ’s top 11 cyber security tips for business