Chances are you’ve already seen some of the less effective attempts, like an email advising your domain is expiring, except it’s not from your host and your domain is nowhere near expiration. Or that your subscription to a certain service has been renewed but you have to click on the link to confirm it.
These new attacks are more advanced, in that they look completely legitimate and are often from contractors/suppliers you actually use. Logos are correct, spelling and grammar are spot on, and they might even refer to actual work or invoice numbers. The sender name may also be the normal contact you’d associate with that business, or even a co-worker, as cybercriminals are able to effectively ‘spoof’ real accounts and real people. While it’s worrying that they know enough about you to wear that disguise so well, a successful attack relies on you not knowing what to look for, or even that fakes are a possibility. With that in mind, here are two types of invoice attacks you might receive:
The Payment Redirect
This style of fake invoice either explicitly states payment should be made to a certain account, perhaps with a friendly note about the new details, or includes a payment link direct to the new account. You believe you’re doing the right thing by resolving the invoice and unwittingly send the money offshore. The problem usually isn’t discovered until the real invoice from the real supplier comes in or the transaction is flagged in an audit. Due to the nature of international cybercrime, it’s unlikely you’ll be able to recover the funds even if you catch it quickly.
The Malware Click
Rather than go for the immediate cash grab, this style of attack asks you to click a link to download the invoice. The email may even look like the ones normally generated by popular accounting tools like Quickbooks or Xero, making the click seem safe. Once you clicked the link, malware is downloaded that can trigger ransomware or data breaches. While an up-to-date anti-virus should block the attack at that stage, it’s not always guaranteed, especially with new and undiscovered malware. If it does get through, the malware quickly embeds itself deep into your systems, often silently lurking until detected or activated.
How to Stay Safe
Awareness is key to ensuring these types of attacks have no impact on your business. As always, keep your anti-virus and spam filters up to date to minimize the risk of the emails getting through in the first place. Then, consider implementing a simple set of procedures regarding payments. These could include verifying account changes with a phone call (to the number you have on record, not the one in the email), and double checking invoices against what was done or provided
Simple pre-emptive checks like hovering the mouse over any links before clicking and quickly making sure it looks right can also help. If anything looks off - even in the slightest - hold back on payment/clicking until it’s been reviewed. Fake invoices attacks may be increasing, but that doesn’t mean you or your business will become a statistic, especially now that you know what’s going on and how you can stop them.