These sneaky email scammers are making it even harder for workers to spot fake invoices

By compromising emails between vendors and their clients, scammers can produce exact replicas of expected invoices - and funnel the funds into their own wallets.
Written by Danny Palmer, Senior Writer

Email scammers are getting more sophisticated, with one gang showing particularly advanced tactics for stealing from organisations across the world by using stealth, persistence and social engineering to trick firms into paying invoices for legitimate services.

The attacks are different to standard Business Email Compromise (BEC) attacks because rather than using a fake request for a money transfer apparently ordered by a CEO or CFO, this campaign is based around supply chains, espionage and research, with the attackers only cashing in once they're convinced they can successfully dupe the victim by injecting themselves into a legitimate email thread about finance.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

This kind of approach makes the attacks very difficult to detect – and often victims will only know they've been scammed when a vendor asks why a payment wasn't received.

Researchers at Agari have named this type of attack 'vendor email compromise' and have linked campaigns using it to a cyber-criminal gang operating out of Nigeria.

Dubbed Silent Starling, the group is believed to have been active since at least 2015, starting out with romance scams and check fraud, before turning to business email compromise with a focus on wire transfer requests and gift card scams.

But from at least late 2018, Silent Starling has started employing these new attacks: over 500 companies in 14 countries – with 97% of vendor victims in the US, Canada and the UK – have been affected by the attacks, with over 700 employee email accounts compromised and over 20,000 emails stolen to help successfully cash-out campaigns.

Like standard BEC campaigns, the attacks begin with hackers attempting to steal email login credentials from vendors with the use of phishing attacks – often by redirecting users to a spoofed version of tools like Office365 and other enterprise software.

Once the attacker has the credentials they desire, they login and set up a forwarding rule to automatically redirect copies of all the emails to a separate account they control. From there, they play a waiting game, secretly monitoring the content of the emails to gain a picture of their victims.

"Once they've compromised the credentials of business users, they get redirects of everything that comes into the inbox. Then they sit on it for weeks or months to try to identify intelligence on the communications certain individuals are having," Crane Hassold, senior director of threat research at Agari told ZDNet.

The attacker will commonly set up alerts for keywords relating to finance, such as 'invoice' or 'payment' to gather the information they require to conduct business email compromise attacks, as well as the language used by the real sender and the times of day they tend to be most active.

They also gain access to all of the attachments and links used in the email correspondence, allowing them to create a fake invoice that looks entirely legitimate – because it will be almost an exact copy of template the compromised vendor uses to issue payment requests for legitimate services.

SEE: Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you

So legitimate is the request, and the timing of the attack so precise, that the customer will be expecting an invoice from the vendor – and the only difference in the invoice is the bank details, which mean that instead of the payment being made to the vendor, the money will be redirected to the bank account of the cyber criminals.

"As the vendor, they drop the message to an actual customer to say here's the invoice for an actual service – a payment expected by the customer. The only thing the customer sees that's different in the invoice is the bank account information has changed," said Hassold.

"Everything is the same: the invoice, the communication patterns in the email, the signatures, the timing – it's much more sophisticated than a lot of the other BEC attacks we've seen," he added.

Researchers haven't been able to put an exact financial cost on the campaign, but detail how in one instance attackers filed an invoice for a $168,000 payment. The nature of the attack means that an organisation which falls for a fake invoice may not find out they've done so until the real vendor asked why they haven't been paid.

These attacks take more time and resources than a standard BEC campaign, but the potential pay-off is much greater, even though standard BEC campaigns are thought to have cost US companies alone a total of $1.3 billion during 2018.

"All of the red flags we teach people to look out for aren't there with these attacks," said Hassold. "We've seen these start to increase in frequency and they're certainly going to explode over the next year."

In the meantime, one thing organisations can do to help protect themselves from these attacks is to have a secondary check on any outgoing payments of significant value. Organisations should also check the rules that have been set on emails for indications of suspicious activity, such as all the messages being forwarded to an unknown address.


Editorial standards