We have recently noticed an increase in Spear-phishing attacks.  These are targeted attacks against individuals or businesses in which attackers pretend to be someone within the organisation or a supplier/vendor and either ask for large sums of money to be transferred or create fake invoices to be paid to the attacker’s accounts.

What do attackers do?

There are a few common exploits, the first is: attackers gain access to your email account and find existing invoices then modify them by updating the dates, values and bank account numbers. They then send these modified invoices out to clients the company deals with from within the compromised account. Mailbox rules are usually put in place as well so if the third party responds, the communication is deleted or forwarded to the attacker so they can converse without the actual mailbox owner being aware.

The second is where scammers pose as a company executive and request that an employee transfer or make a payment urgently to an account belonging to the scammers. These are typically sent from a compromised mailbox or they spoof the address but use the correct email signature to make it look authentic.

Preventative measures: 

The most effective thing you can do to stop attackers from getting access to your user’s email accounts is to have Multi-Factor Authentication (MFA) in place.  Upon login, MFA sends a “challenge code” to the user’s phone.  In the event that their password has been Phished, attackers are unable to login with it.

In the case of receiving spear-phished invoices from a compromised third party, the best defense is human intervention. Unfortunately, these emails/invoices will not be picked up as spoofing/spam by your email system as it comes from a valid email account.  The best way to mitigate this threat is to ensure you have strong policies in place as to how your finance team manages requests for bank account changes by suppliers (or attackers). Calling your supplier to confirm that the request is real is the simplest and most effective practice.

To help prevent spoofing of your domain’s emails a combination of Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) can be implemented. This gives mail servers a trusted list of where to expect your domains’ email to come from, and to treat messages originating from other sources as “suspect”.

We’re here to help, so please don’t hesitate to talk with us if you require any further information on any or all of these measures.