Gavin Cunningham – Forensics Partner
The fastest growing fraud risk for business today is remote attack. Usually carried out through your email and internet accessible accounting systems, fraudsters have discovered how to infiltrate systems, intercept key data and manipulate it to get you to transfer sums direct to their bank accounts.
Known more commonly as ‘phishing’ frauds, the bait is usually contained in a circular, false email or malicious link that if opened, responded to or clicked upon can extract information from your systems. Note that even your email address and signature details are useful to them.
Prior to the explosion in internet banking and email communication, traditional methods of targeting fraud against businesses relied heavily upon personal contact and direct communication. However, the move to remote banking and reliance on the electronic world has opened up massive opportunities for organised and dedicated fraud gangs. There are many methods used but I consider the most dangerous to be Spear-Phishing.
What is Spear-Phishing?
The largest losses through online fraud against business, spear-phishing occurs when a fraudster obtains details about their target business and uses it through email contact to specifically request a transfer of funds using apparently genuine credentials. Many cases of spear-phishing begin when a supplier’s emails are compromised and the fraudster changes just a couple of details on an email address before requesting payments in to a bank account controlled by the fraudster.
Traditionally, this type of fraud has always operated, typically when a third party uses an employee as an insider to set up false purchase orders or supplier accounts that are then paid. Now however, the present and growing danger is the availability of confidential information about a business online. This enables fraudsters to obtain supplier information and alter it to suit their purpose without even needing to know anyone in, or deal with the company.
Who is at risk of spear-phishing?
All businesses should be mindful of the dangers of spear-phishing but those businesses that handle or process large sums of money are likely to be more at risk of being targeted. In our experience those affected include law firms settling property transactions, businesses with month end payment runs, and even banks themselves!
In many cases email addresses are changed by one character and invoices – that look identical to real ones from a customer or supplier – are sent out but with changes made to the bank account details. The instantaneous nature of electronic bank transfers mean once funds are sent they are then bounced immediately to the ultimate recipient fraudster and there is no chance of recall. In practice, it might take days before the mistake is even spotted.
What can you do to prevent spear-phishing?
Vigilance is key to preventing spear-phishing. A few sensible general measures include:-
- Putting in systems to spot and confirm any bank account changes is one key measure – but remember that if you email for confirmation it is likely to be the fraudster who sends it back.
- Also, looking at email addresses of your intended payees – if they have changed think before you pay.
- And review unexpected and suspicious looking emails that are the start of the problem – if the address doesn’t match up with the purported sender, or the contents, then check it out before opening it – and don’t forward it on – you may be spreading the problem even wider.
Remember, a fraudster’s tactics will evolve over time and you may be subject to numerous and varying spear-phishing attacks. In these instances, a review of individual business circumstances can really help in order to arm your business against these wide-reaching attacks.