Identifying email scams that target businesses

It appears that the fraudsters are now taking the time to learn your business (presumably leveraging website, social media, etc.) and determining who the senior decision-makers are to greatly increase the chance of the email scams succeeding.  Often this will involve impersonating a client or supplier (“We have changed our bank account, please make payment to…”) or impersonating someone from your organisation (“Please pay the attached invoice …”).

We are aware of at least three main variations:

• Email purportedly from the CEO (or similar) requesting payment – similar email account.  These are emails that appear to be from the CEO that are sent to accounts payable/finance requesting that an urgent payment be made for services rendered (or similar).  The email visually appears similar to a genuine email sent from the CEO, but the email address will be slightly different from the CEO’s genuine email address.  For example:

“From:john.smith@bigcoy.co.nz

To: accountspayable@bigco.co.nz 

Subject: invoice for consulting services

Hi Mark,

Could you please ensure that the attached invoice is paid asap.  Code the cost to consulting.

Thanks,

John.”

In this case, the genuine email address is "john.smith@bigco.co.nz", so provided accounts payable do not spot the subtle difference in the email account, there is a reasonably high risk the fraudulent payment will be made.     

• Email appears identical to the genuine sender’s email address, but has been ‘spoofed’ to appear that way. These are email addresses that have been ‘spoofed’ to appear the exact same as the sender’s genuine email address, but were actually sent from a different email account.
• Email purportedly from the CEO (or similar) requesting payment – genuine email account.  In this version, the fraudsters send the email using the CEO’s (or similar) genuine email account.  The fraudsters are able to do so after hacking the email account.

Despite the considerable increase in sophistication in these newer email scams, there are some red flags:

• The payment request will be for a “new” supplier or to a new bank account for an existing supplier/client.
• Payment will often be to a non-New Zealand bank account, PayPal, or Western Union.
• Often the payment requests will be in large round dollars (e.g. $50,000, $100,000, etc.)
• The request for payment will be urgent.
• The email may contain bad grammar or unusual word choices.
• The sender may claim to be difficult to contact and request email contact only.

Contact your bank, forensic provider and Police immediately. There are two important immediate considerations:

• Recovering the funds.  If you identify the scam the same day the payment is made your chances of the funds being “frozen” in the banking system are greatly enhanced.  The prospect of recovering the funds will diminish greatly as each day goes by;
• Determining who the perpetrator is.  While in most cases the perpetrator will be based overseas, it is important to consider the possibility that the perpetrator could be an insider or local person

Our top five recommendations for safeguarding your organisation from these email scams are:

1. Review how your organisation handles email instructions for payment.  Increasingly we are seeing organisations choosing not to rely on email instructions given the fraud risk involved.
2. Consider whether your controls around payments would successfully defend against these fraudulent payment requests being actioned in the event your organisation does rely on email instructions.
3. Consider how “fraud aware” your team is.  Your people are your best defence against fraud, so it is important that they are alert to this and other fraud risks.
4. Revisit your IT security to understand the level of vulnerability.
5. Consider whether your insurance policy would cover these fraud losses.    

If you have been the victim of an email scam or you would like to discuss how you can protect yourself better, please do not hesitate to contact Jason Weir.