The fake mandate/invoice scam (also known as BEC – Business E-mail Compromise) is a phenomenally simple though successful scam. It has bought in great amounts of revenue for the dark side of business in the past two years. The United Kingdom alone has suffered badly in the last year. The City of London Police force figures (based on reported cases) show that these attacks have risen by 71% on the previous year (these figures were collated by BBC Radio 4). Police Commander Chris Greaney told the reporters “Sadly email is just not safe and you cannot trust it all the time.” There are probably many other unreported cases – customers who are as yet unaware they’ve been scammed, and businesses who are, but want to absorb the cost and stay quiet.
How the mandate/invoice scam works
First the hackers have to compromise a business network. For a customer-based attack, less extensive monitoring is necessary. In the case of mandate scams, network penetration may be needed to be successful. The harvesting of data such as staff contact details, transaction points (third-party contractors; suppliers; customers, &c) will give the hacker everything required. With this information, the hackers have two choices of scam:
By invoice: e-mailing the customer informing them that an outstanding payment is due and giving them different bank credentials to use to pay this. In essence, this could be as simple as re-routing an expected monthly payment by the customer into the hacker’s bank account. This method is sometimes hardened with the warning that the sum is outstanding and later payment could effect the customer’s credit rating.
By mandate: this works by the hacker discovering a member of staff who has financial administration powers. Then finding a company member who is in a senior position. The hackers impersonate this figure and send the finance department a mandate for a cost to be paid – into the hacker’s account. The business can also be hit by the invoice scam with the hacker posing as a supplier/contractor.
Though in reality, the criminals don’t have to choose – they could implement both options, if thought realistic; this would largely depend on the structure of the company and nature of the business hacked. Many targets are given mandates small enough not to be questioned in busy work environments and payments are initiated without question. These hackers are not stupid.
This reported increase represents 5 480 people recorded by the police. Of these, 36% admitted that the exposure to the scam had impacted significantly on them, either in financial or health terms. With this type of fraud on the increase in many countries, security must be thought of in new terms. Admin staff should always question irregular or changed mandates in person (not via e-mail!). Customers should always question any change of payment requests.