The Grim Reality of Cyber-Crime
Hacking isn’t a modern invention – it has been a problem since the dawn of electronic communications:
1834 – a French telegraph system was hijacked by a pair of thieves, financial information was intercepted and the funds stolen.
1903 – At the first public demonstration of Marconi’s “secure” wireless telegraph, the demonstrator was interrupted by insulting morse code messages discrediting the invention.
1940 – Considered to be the first ethical hacker, Rene Carmille, a member of the resistance in Nazi-occupied France found that the Nazi’s were using IBM punch cards to process and track down Jews and sabotaged their efforts in his area.
1960’s – John Draper, a phone hacker (Phreaker) going by the moniker of “Captain Crunch” discovered that the plastic whistle given as a prize in boxes of Captain Crunch cereal emits a perfect 2600Hz tone, allowing him to get access to AT&T telephone lines and make free long distance calls. In conjunction with Steve Wozniak (Apple Computers co-founder) they create “blue boxes” electronic devices allowing the same access – Steve “Woz” Wozniak states that this was fundamental to the founding of Apple – no blue boxes, no Apple computers.
1980’s – Due to the Cold War and advances in transistor technology the connectivity of machines explodes – prompting fears of global thermonuclear war caused by “hackers” – a fear reinforced by the 1981 film Wargames.
“It will never happen to me!”
You might think that the fears of hacking are exaggerated and it would never happen to you. But the sad reality is that it is a case of not if, but when you and your business become a target.
What follows is a real story that happened to a local business in 2019.
Some details have been changed to protect peoples privacy.
How a local charity was defrauded for over £10,000
Jane, the financial controller for a charity was processing invoices and reconciling bank transactions for her employer.
That afternoon, she received an email from the chief executive. Nothing out of the ordinary, it was relating to an overdue invoice. The chief executive had added a note requesting it be paid immediately if it wasn’t already settled.
SUBJECT: Urgent Invoice payment needed
I’m just off the phone with these people and I’m not happy. You need to pay the attached invoice immediately – it’s already over 60 days overdue. They are threatening to suspend services if it’s not sorted by the end of the day.
I’m unavailable the rest of today but can you get this taken care of and send them evidence of the transfer.
This wasn’t anything unusual, due to the nature of the business. There were invoices being sent directly to individuals and not including the finance department directly, so sometimes they got overlooked. In his email, John had mentioned an attached invoice but there was no attachment – Jane clicked reply and asked John for the invoice:
SUBJECT: RE: Urgent Invoice payment needed
Sorry, I was on my mobile, I’ve attached it here for you – let me know if you don’t get it this time.
This time the invoice was attached – Jane got straight to work. She set up the new payee on their banking platform and paid the overdue amount of £11,765 in full. She sent a screenshot of the transfer success message and also replied to John letting him know it was resolved.
What Happened Next
A few weeks later, Jane gets a call from Robert, their CFO. He asked her to meet him and John at his office to go over invoices and bank transactions. Arriving at the meeting Jane is met with accusations of fraud and embezzlement.
Why was £11,765 transferred to a company that had never provided service to the organisation?
Jane was obviously upset by these claims, and explained that she was asked to do it by John. John denied asking for any such thing.
Jane opens her laptop and shows both of them the email she received. They are perplexed as it looks like it came from John, it reads like an email John would send. To further complicate matters, John was actually out of the office that day.
They immediately call the police and speak to their fraud team who open a case and start their investigation. They find that the funds were transferred out of the UK bank account almost as soon as they arrived. As the funds were sent to European account Interpol has to get involved.
Months pass and they receive a call from a telephone number in the United States. It was an agent in the financial crimes division of the FBI. Interpol found that the money was moved to the US.
Let’s take a look at how this happened and what could have been done to prevent it.
How it happened
There’s several things that went wrong in our story above.
Let’s look closely at the top of the email that Jane received – the eagle eyed among you may have spotted what looks like a typo when I had written John’s email address. Unfortunately this wasn’t the case. The fraudsters had actually registered a domain that was identical to the organisations except for the TLD (T0p Level Domain) – in our case the organisation was using .com and the fraudsters registered the .co version of it.
They registered the domain for a few reasons, primarily so that they could engage in active 2-way communication with Jane – if she had replied to a fake domain then the jig would be up when she received a non-delivery report. It was no accident that the attachment was missing from the original message – Jane’s response to the message asking for the invoice meant that they had the right person and that they were ready to make the transfer.
Registering the domain also meant that their email was more likely to be delivered, some mail services will reject messages from domains that do not exist or do not have the appropriate DNS (Domain Name Services) records associated with email.
Finally, using a practically identical domain means that unless someone is very keen eyed, it looks like the messages came from the organisations email and therefore can be trusted at least somewhat.
But how did they know all of the information about the financial controller, the chief executive and the organisation to send these emails?
The fraudsters had spent some time gathering information before carefully executing their attack, they used a variety of sources to get information about the organisation, it’s structure and it’s employees.
Jane was proud of her position as financial controller and had an active LinkedIn profile that had this listed as her title – there are a few methods that can be used to get someone’s email address; it’s publicly listed, they can guess the format of the email address as they usually follow some predictable form e.g. jsmith@domain, Jane.smith@domain are two examples; but in this case, they called up the organisation and just asked for it.
The chief executive, was a Facebook user – he would post regularly, including both text and photos. From here they were able to form an accurate impression of how John wrote as well as what he was doing – John had posted at the start of the week that he was going to be at a conference the afternoon that Jane received the email.
Finally, as a charity they had a website that told people what they did, using this they were able to convincingly fabricate a supplier identity – one that the charity would be likely to purchase products and services from – as well as having a significant negative impact if they were to withdraw service.
Using the information gathered, they took advantage of people’s nature to commit this fraud.
People will go out of their way to avoid getting themselves or others in trouble.
Jane wanted to avoid getting in trouble herself by missing an invoice payment. She also wanted to make sure that the charity was not impacted negatively.
People don’t want to inconvenience other people
Jane didn’t want to bother John at his conference. He’d expressed that he was unavailable and had also made it clear what he wanted to happen. I.e. the invoice being paid ASAP.
People want to help others
The person who answered the call asking for Jane’s email address wanted to help someone. The call likely went something like this: “Hi, this is Bob. I was speaking with Jane earlier this week. She’d asked me to email her some information. I had written down her email but I can’t find it anymore. Can you help me?”. – Who would refuse such a reasonable request?
How it could have been avoided
There’s several things that could have been done to prevent this type of attack from happening – some technical but mostly training and process control.
1. Mark emails from outside the organisation as such
If you are using Microsoft365 or Google Apps Suite, it is very easy to add an indicator to all messages from outside your organisation. Usually it will be amending the subject of the email with a tag like “[EXTERNAL]: Original Subject Line”. Then inside the body of the email, before the content a line can be added such as: “This email originated from outside your organisation, please take care with the content and any attachments”.
2. Filter all emails (internal and external) for CEO fraud or other indicators of compromise
Whilst this example happened from an external account, what happens if an actual employee’s email is compromised? All emails should be inspected both inside and outside to ensure that the originating accounts are not compromised. This can be achieved through a variety of 3rd party services.
3. Increase Awareness
Employees are both your biggest vulnerability and last line of defence against these types of attacks. They should receive regular training on how to spot these types of emails and how to react to them. They should also be assessed on their ability to follow the training, this can help identify individuals that may need some additional help.
4. Process Management
When an email request for an invoice payment or similar is received, a good process is to follow up with a telephone call to the requestor to confirm the request. It may lead to a delay in payment but it helps to identify any potential account compromise early. It’s crucial that people are not penalised for asking for this confirmation.
This story may have a somewhat happy ending with the organisation getting almost all of the money back, it usually doesn’t end this way. Even in this case there was significant damage done to the reputation of the organisation, and an almost complete destruction of the relationship between Jane and the directors, due to the accusations levied – Jane later cited this as the fundamental reason why she left the weeks later.