Are you sure your boss is emailing you?

Imagine this: You’re a finance manager in a construction company. You recently hired a contractor to get some work done.

After completing the work, the contractor mails you the invoice: $900,000. 

A few hours later, they send another email with an updated invoice and a new bank account. They tell you that the old bank account is inactive, that the payment will bounce, and that it will cause unnecessary delays.

You pay the invoice, so far - so good.

A few days later, the contractor sends another email, asking what’s the delay, and why wasn’t the invoice paid already.

After a little back and forth, both of you get to the bottom of things: the contractor’s email account was compromised. A hacker was monitoring your email correspondence. 

The first email was legitimate. 

After that, the attackers cloned the invoice, changed the bank account, and mailed you again. 

You ended up sending the money to a bunch of scammers.

If you think this scenario is too wild to ever happen - think again. 

It already happened.

And not so long ago, at that. News.com.au reported on the incident in late August, 20204. You can read all about it here.

The good news here is that the scam was spotted relatively quickly, and the police, together with the banks, managed to recover roughly 95% of the lost funds.

Business Email Compromise

This type of attack is called Business Email Compromise, or BEC. 

It’s a frequent occurrence. Maybe the person installed information-stealing malware by accident. Maybe they were a victim of phishing, and unknowingly shared their login credentials with the scammers at one point.

Whatever the attack vector, someone was able to log into the email account and monitor all incoming and outgoing messages.

They didn’t make their presence known at once. Instead, they lurked in the inbox, waiting for the right opportunity, and struck. 

It works because the other side has no reason to be suspicious. The email is coming from a known party. The message is part of a longer email chain. 

It all checks out. 

The example from above had a relatively happy ending. I’ve seen worse, when people weren’t able to recover any funds. It usually happens when the money ends up on multiple accounts, in different countries.

The only way to stay safe is to never be on auto-pilot when working. It doesn’t matter if the message is coming from someone you know or not. If it’s even slightly out of the ordinary - double-check it. Make a phone call. Send a text message. Ask for additional confirmation - something scammers couldn’t possibly know.

I’ll repeat my usual mantra: Don’t trust - verify.

Until next time,

• Sead from SmallBiz CyberWiz