Created: Wednesday, 05 May 2021
Written by Tim Nicholls
A true story: An employee of a customer of ours recently received a very legitimate looking invoice from one of their suppliers, and at first glance even the email address looked correct. However the bank details were different, the bank was located in Mexico, and on checking the email address closely the domain - the bit after the @ sign - was different.
The customer was concerned that they had been hacked, but we investigated the email chain by checking server logs, security reports and the headers in the email which are normally hidden from view, and were able to confirm to the customer that it was the supplier who had been compromised, and that had enabled the scammer to set up a domain very similar to the real one and use the names of the employees in the emails with the fake bank details.
We analysed the suppliers email system and discovered it lacked even the most basic security mechanisms to prevent spoofing.
Clearly the attackers had access to the supplier’s customer database, as well as a genuine invoice. Although they were using a fake domain that was only one character different from the real one, the invoice and the fake email Footer had the correct details
Fortunately the employee had been astute enough to spot the different bank details, so they didn’t proceed with payment, and then asked telanova to investigate. This is why we recommend to all our customers that they make sure their staff are trained up on cybersecurity, and are constantly vigilant.
Scammers will often try and target times of the day or the week when people may be under pressure to get things done, hoping that they will be less vigilant, so Friday afternoon, month end or year end are sometimes chosen to launch these attacks. The emails may get marked as Urgent! or Final Demand! To try and increase the pressure on the recipient to act without proper scrutiny.
What else can you do to protect your organization?
Microsoft’s Advanced Threat Protection service (ATP) has a feature where you can put your supplier’s email addresses in and it will monitor for attackers trying to impersonate them.
Contact us to put these protections in place for you.