Fraudsters are trying out a new approach to convince companies to pay bogus invoices: instead of hijacking existing email threads, they are creating convincing ones themselves.
A clever payment request fraud
The fraud attempt begins with an email containing a payment request for a fake invoice.
The recipient – an employee in the company’s finance department – reads the email and checks who sent it.
The sender’s email address looks like it belongs to one of the company’s trusted vendors, and the VP of Finance has been CC-ed! Soon after, the VP of Finance replies to the email thread, and asks the employee (by name!) to “please pay this at the earliest convenience.”
The attackers impersonate a trusted executive (Source: Armorblox)
In short, the whole thing looks convincing enough to fool many inattentive or unaware targets. But a critical look at those email addresses will reveal the truth: they are both fake (but look very similar to the legitimate ones).
A layered defense is key
This VIP Invoice Authentication Fraud attack – as Armorblox researchers call it – could end up being very damaging to businesses.
“By impersonating the victim’s boss within the email thread, the attacker adds a sense of urgency to the situation, making the victim less likely to question the legitimacy of the request,” they noted.
While email security solutions should catch and block fraudulent emails such as these, sometimes they fail. Also, not all companies have such a solution set up.
Companies should also have in place processes to confirm beyond doubt that received payment requests are legitimate before fulfilling them, but sometimes they don’t.
Careful employees that have learned to check for and spot spoofed email addresses and know enough not to be swayed by urgent calls to action are sometimes the last line of defense against email-borne attacks.