1. Evolving Business Email Compromise (BEC) Attacks
BEC attacks, also know as CEO fraud, have been around for quite some time now. They have been proven to be successful, which of course means scammers are going to continue to use and develop them. and we recently featured a blog with video about how to combat them. What’s important to look out for now are the different angles these attacks have begun to take.
Recent BEC attacks rely more on social engineering. The messages are more indirect than simply asking for a wire transfer, which can make anyone suspicious. The 3 latest to look out for are ‘the handoff,’ payroll diversions, and aging report scams.
- The handoff can be an email to someone in Finance seeming to be from the CEO. It will ask you to reach out to an attorney about an acquisition or project. The ‘CEO’ and ‘attorney’ both work for the cybercriminal gang, so they can play off each other with questions and ‘information.’ At some point a sum of money will be required, which the ‘CEO’ will approve you to send.
- Payroll diversions typically go to HR and appear to be from an employee. This ’employee’ will ask to update their bank info used for direct deposit. Even if you don’t reveal existing information and send a blank form, the form they send back to you will have their criminal bank account information so the real employee will no longer be paid. It’s a perfectly normal request, so if your process does not have any other checks or verification built in, this can easily slip by.
- The aging report scam could be directed to a variety of departments. In this, an email appears to be from a vendor, requesting an aging report, which is non-threatening. Once the criminal has it, however, he or she can reach out to others, using the invoice and payment details in the report to seem convincing enough to change the banking information to their illicit account.
As KnowBe4 puts it, “modern BEC attacks leverage some really good social engineering that security defenses aren’t able to detect or prevent because there is nothing technical about it.” Criminals are willing to take a little longer to let their targets put their guard down before going after the wire transfer.
How can you avoid this scam?
- Train your people. Make sure everyone knows how much more sophisticated these scams have become. Then build verification steps into your process that require methods other than email. It may be as simple as a text to a personal cell phone, a work chat, or a call to your vendor, but it can prevent a lot of trouble.
- Ask your IT partner to check any emails you aren’t sure of. A message can come to you looking perfectly normal, but sender names and addresses can be spoofed. And with no attached files or malicious links to trigger a scan or filter alarm, the typical email protections can miss these messages. But your IT partner can look more closely.
2. Fake Quickbooks Invoices
Quickbooks, known as the #1 accounting software for small businesses, is being used in a new global scam.
Bitdefender reports that the campaign began in April. Scams using Quickbooks angles often increase around tax time in the US anyway, but this one isn’t about taxes. This campaign targets the 3 million businesses worldwide that use the software, sending fake invoices and payment notifications.
The messages are simple, claiming to have your invoice attached for review or your order sent once payment is remitted, and they are not only sent to people in Finance or Accounting. They come from a spoofed address that looks legitimate (‘quickbooks@xxxx.intuit.com’) and contain convincing Quickbooks graphics. There is also an Excel attachment that supposedly shows the invoice details.
The real threat is in the attachment. A hidden macro will install credential-stealing malware in most cases. In some cases, the malware has been updated to deliver ransomware as well.
So how can you stay safe from this?
- Always be suspicious of attachments. Curiosity is so hard to control, and when we see an invoice amount, even if we’re not expecting one, we want to know what it’s about. Stop immediately anytime you see a popup asking you to enable macros. As I’ve mentioned before, macros can be useful, but never enable them unless you are 100% certain they are safe.
- Make sure everyone in the company knows about something as widespread as this. You may have employees who don’t know whether or not you use Quickbooks or who don’t understand the risks of opening that attachment. You may have employees outside the Finance Department who order promotional items or office supplies; they need to be warned as well.
- Once again, ask your IT partner to check anything you are unsure of. Emails with attachments that you weren’t expecting seem suspicious when we talk about them like this, but can easily slip into the normal workday without raising any red flags.
3. Search Ad Scams
This last scam is not an attack on your business or an email to look out for. But it is serious enough for the FBI to issue a private industry notification about it to financial institutions.
The scam uses ads in search engine results, such as Google or Bing. Cybercrime gangs create fake banking website links that appear as ads or sometimes in organic search results to try to harvest your credentials.
If you run a search, often the first result is an ad pointing to exactly what you want. If you were looking for your bank and it is one of these scam links, once you click on it you are taken to what looks like that bank’s login portal. You enter your login, password, phone number, and security question answers, but you don’t get access to your account as you should. This is because it’s a spoofed site. Instead, the criminals call you, posing as the institution. They involve you in a lengthy conversation supposedly aimed at restoring your access, all while they use your credentials to log into the legitimate site and start making transfers.
What can you do against this?
- Be careful where you click, especially if you are trying to log into your bank account. You may find using an app to be less risky, and you should almost never use an advertising link. This is not because ads are less secure by nature, but they are being paid to show up there. And as Google explains in its Ads & Commerce Blog, they removed 5,000 bad ads per minute in 2019. That’s just how vast the Internet is. Their tools may detect the reported malicious links and known violators easily, but the more sophisticated ones often have to have resources prioritized to find them based on trends and other available data. It’s a game of catch-up trying to prevent anything malicious from being shown to people.
- Always double- and triple-check the domain of any site you are going to log into. Spoofing banks and major brand websites like Microsoft and Amazon, for example, is what these criminals get paid to do. So it takes careful attention to detail to be able to spot the fakes.
