The Government’s cybersecurity agency CERT NZ says it’s receiving increasing numbers of reports of business email compromise from law firms with amounts of up to half a million involved.
CERT NZ says the scam involves an attacker gaining access to an email address in an organisation, and then using that email to intercept invoices going to or from accounts payable or accounts receivable. They often set up auto-forwarding rules so that anything sent to finance will be automatically re-directed to their own email. Attackers get access to accounts through weak passwords or lack of 2-factor authentication (2FA).
Attackers then change the payment details on the invoice and send them on to finance. Accounts payable will often not notice the change of bank details or will simply make the update, assuming it has been requested by the legitimate supplier. This results in a huge invoice being paid to an attacker which may not be picked up until the supplier follows up a missing payment.
In the scam involving about $500,000 the law firm realised in time that it was a fraud, and stopped the transaction in time. The firm changed its passwords, carried out other security measures and reported the incident to CERT.
“In some cases the owner of the breached account will notice their account has been accessed and change their password. We’ve seen instances of attacker then setting up copycat domain so they can imitate the law firm, eg Joe Blogg’s law becomes Joe Blogg’s lavv with the use of two vs,” says CERT’s Senior Engagement and partnerships Advisor, Madeline Shepherd.
Ms Shepherd says the following actions can prevent the majority of such attacks:
- Strong password policies
- Use of 2-factor authentication on email accounts
- Checking auto-forwarding rules
- Having a manual checking process to verify invoice changes - not using email,
CERT has produced an online article on business email compromise and how to protect against it.
And this recent LawTalk article provides useful advice about email fraud.