28 Jan Cyber Security – Accounts Department Phishing
Is your finance department as safe as you think?
Cyber crime is heading towards “accounts payable”.
Warn your finance department.
Phishing is when a criminal sends an email in order to direct an unsuspecting victim towards a fake website.
The email is normally in the form of an instruction to urgently update your account details to prevent something bad happening.
The fake website is built to look exactly like its genuine counterpart and is intended to coerce the user into entering their login details into what looks like the entry point. Upon the victim doing this, the fraudster captures the details and then heads to the real website and logs in, potentially causing untold amounts of trouble.
Accounts Department Phishing
In a typical accounts department fraud, the scammer takes this theory up a level and attempts to get their payment details added to a companies online banking and persuade the business to make a payment.
This process is pretty complex but works something like this.
The scammer has to work for this one but if they get it right it can be very lucrative.
They gather a company directors details from Companies House and then tracks down the accounts department contacts via LinkedIn.
For the purposes of this example the company being scammed is Fred Bloggs Design Associates. The CEO is Fred Bloggs. The company domain is fredbloggsdesign.com
The scammer will register a very similar domain such as fredblogsdesigns.com (note the missing “g”).
The scammer then sends an email to the company “accounts payable” contact at Fred Bloggs Design requesting an urgent payment be made to a particular supplier for an amount such as £5000 including their account number and sort code.
The email looks as though it comes from email@example.com but the return address is actually firstname.lastname@example.org (note the missing “g”).
That way when the accounts department reply with an “Are you sure about this Fred?” email they can reply “Yes”.
If the accounts department falls for this scam, the sky is the limit as to how much you can lose.
Another popular scam aimed at the finance department is the after effects of having a business email username and password phished (as described earlier).
The scammer scans the users outgoing mailbox for recently sent invoices.
They then send an email to the company the invoice was issued to (using the phished email account) requesting that the invoice be paid to their new bank account as they have recently changed their bank details.
Their aim is to get the invoice paid to their bank account rather than the owner of the email. It is brazen but potentially successful.
- All new payees should be validated by the director (or staff member) requesting the payment by voice call.
- Any payees requesting a change of bank account details should be contacted verbally by someone within your business who can definitely confirm that payees identity.
Please like this page if you found the content interesting and share if you feel others may benefit from this information.