Invoice Diversion Scenario

28th March 2019

That age old saying “it will never happen to me”, or, “we’re too small to be targeted” – sound familiar?

You would be forgiven for having said these statements yourself and possibly 10 years ago you would have ‘probably’ been right.

The modern-day cyber criminal / hacker / black hat (whatever you prefer to call them) don’t care how small your company is, if there’s a way in they will find it and the very fact you have a business is enough for them to know there’s something of value there to manipulate.

Over time the word ‘hacker’ has become far more widely heard of. It used to be assumed that it was just a teenager in his bedroom, trying to break into corporate banking systems to prove their skillset and the media reports could have you believe this is still the case, as it only tends to be the bigger well-known names that make breaking news stories.

It’s not always about financial gain though (although probably the most common) these criminals also sometimes just want to build up a ‘trophy cabinet’ of news stories for their self-satisfaction and bragging rights in the hacking community about how they brought a business to its knees overnight, or at the very least had the power to do so and the sad reality is, it’s the smaller ones who often can’t afford to sustain such an attack and will eventually go bankrupt.

Since GDPR came into force, if there is any kind of data breach, it must be reported to the ICO and all customers notified that their data has been leaked – this in itself can have catastrophic circumstances, both from a reputation point of view, but also possibly voiding your cyber insurance due to the proper precautions not being in place.


So How Does the Hacker Find You?

The truth is, if a hacker is based in another town, county or country, then its very unlikely they would ‘randomly’ pick you to target, let alone know you exist, so with that in mind, how do you become ‘the chosen one’?

This is the key thing to understand with modern day, new age cyber criminals, they don’t pick you, it’s their purpose-built software that does.

This software crawls the entire internet, day and night, looking for weaknesses. These can range from passwords that have leaked onto the dark web, ‘back door entries’ into badly managed systems, poorly secured hardware, or simply software that hasn’t been updated.

Once this software finds a weakness to be deemed an entry point, it will alert its creator who then takes a closer look. They could be based thousands of miles away and suddenly you are the target.


What happened in Eastbourne?

A small company that had been in business for years, but only particularly well known in their own sector, were victim to an email spoofing scam. A hacker had managed to gain access into the email account of the Financial Director, put a forwarder on all emails so they went to his inbox and over time, learned their writing style, technique, tone etc, cleverly picking a conversation thread that was asking for a payment they were due. They most likely followed this conversation for weeks, up to the point where a payment due date was issued and then initiated their interception.

They spoofed the payee company’s email and sent a message back to the payer advising they had recently changed bank and spotted the old details were accidentally still on the invoice and issued a replacement one with the new account on (the fake ones).

The payer picked up the email in the morning and because it looked to have been sent by the FD, along with all the previous conversation below it as part of the email thread and their signature (along with their tone and style of writing) had absolutely no reason to question it, but even if they did, their reply to that email would have gone to the hackers email account and not the person they thought they were talking to. Two days later the payer is 25k out of pocket and the payee who were expecting to receive the settled invoice, didn’t see a penny of it.

Bottom line – they still need paying and this suddenly becomes a possible business crippling scenario.


Could it have been avoided?

This particular scenario could have been easily avoided, simply by having the proper security measures and practices put into place.

Cyber Essentials is a government backed scheme that ensures businesses follow the correct rules and procedures in order to avoid or mitigate most modern day cyber-attacks. Not only this, but it also shows new and existing clients that you take security very seriously and promotes confidence that their sensitive data is safe.

Your ‘human firewall’ is just as important as the software that you have in place and having the Cyber Essentials certification, as well as regular cyber security awareness training for your staff, is crucial to avoiding these everyday scams.


What can you do to protect yourself and your business?

In short, become Cyber Essentials certified and also talk to us about our free cyber security workshops.

Southern IT are one of the very few companies that are not only Cyber Essentials certified to the highest level, but also accredited to certify other businesses without involving a third party. In fact, at the time of writing this, to our knowledge, we are one of the only companies in Sussex who can certify both Cyber Essentials and Cyber Essentials Plus.

If you would like to learn more and arrange for a free technical security audit of your systems and processes, with advice on how far away from certification you are, feel free to give us a call and one of our friendly team will happily discuss your needs or concerns.