READ detailS

UK small businesses at risk as invoice fraud spikes

Britain’s small businesses are losing more than £9bn a year to fraudsters who send viruses posing as false invoices and other payment information, or as suppliers on the phone, a new study shows.

Under this type of scam, fraudsters send a fake invoice, an odd-looking tax return requesting payment for non-existent goods or services. In fact, the attached files spread all sort of malware, from crypto-ransomware and banking Trojans to keyloggers that capture secret passwords and other sensitive data.

Half of the SMBs surveyed admitted to have been a victim of invoice fraud in the last twelve months. The study shows self-employed, freelance and contract workers are particularly vulnerable because they receive invoices regularly, from a number of sources – a known supplier, a work colleague or other trusted collaborators. Recently, hackers targeted a legal firm and it almost cost them €47,000 until a bank stepped in to stop a money transfer performed by one of its employees.

“Incidents of invoice fraud are underreported”, warned Pauline Smith, head of the UK’s national center for reporting fraud and internet crime, Action Fraud.“It’s difficult to know the true scale of this fraud type but we do know that it prevails across all types of business and no one industry is immune.”

Cybercriminals usually prefer to send targeted emails to new employees, pretending to come from superiors. “Junior people in very large organisations need to feel comfortable to ask the question of someone senior whether or not this is a real transaction,” Commander Chris Greaney of the City of London Police said.

More than 5,000 people were conned into sending planned payments to fraudsters last year, police said.

How the scam works

The email looks legitimate.

The attached document looks like a standard Word document or spreadsheet, however, in order to view the file, users must enable “macros”. The trick lies in those lines of code. Used in Microsoft Office, macros are generally used to create formulas or a repetitive task. But they can also interact with the whole Windows environment, outside Microsoft Office, and can impact your system.

The code in those seemingly “clean documents” is actually a command for the victim’s computer to download a piece of malware from a remote server that will execute itself automatically. The macro code is obfuscated to bypass traditional antiviruses.

The malware on the remote server can be either a ransomware, banking Trojan or an industrial espionage tool. The ransomware can encrypt important corporate files and ask for a ransom, while the espionage tool can be even more vicious, depending on what kind of files it can access.

The study also reveals that a company loses £1,658 per year because of invoice fraud, and one in six companies estimates that fraud has cost them more than £5,000 in the past year.

How do you recognize a genuine invoice and stay safe?

  • Make sure all employees know how to recognize this type of fraud.
  • Revisit your email filtering rules to make sure spam is out of people’s Inboxes.
  • Always review invoices to check for inconsistencies/errors, such as a misspelt company name.
  • Have a clearly defined process for verifying and paying accounts and invoices.
  • Ensure your computer systems are secure and that antivirus software is up to date.

Cybersecure provides a proven and cost-effective security solution for cloud-managed security.