Email: temora@auswildbroad.com.au | Phone: (02) 6978 0077 |
It is a busy time of year and everyone is receiving more invoices and other financial communications than usual, but are you sure that every invoice is legitimate?
Invoice hijacking is on the rise, and receiving a hijacked invoice is indicative of greater security vulnerabilities. Read on to find out about this threat and how to protect yourself.
A hijacked invoice is a legitimate invoice that has been intercepted by an attacker, and the account details have been changed. The name on the invoice is correct, the invoice number is correct and everything else looks normal, but if you make payment using the supplied bank details, you will have unintentionally sent the money to a hacker!
If you have received a hijacked invoice, it is usually because either the sender or recipient have had their email account compromised by an attacker.
This can occur through various methods, including phishing, social engineering, password guessing (or password reuse), incorrectly configured mail servers or exploiting security vulnerabilities.
Once inside the compromised email account, the attacker can monitor the email communication between the sender and you. They search for incoming invoices or any communication related to payments.
The attacker specifically targets invoices or payment-related emails to modify. They may search for keywords or known senders associated with financial transactions. The attacker may choose not to act until an invoice worth a large amount is received.
After identifying an invoice, the attacker alters the bank account details within the email or attachment. They replace the legitimate account information with their own, directing the payment to their account instead.
To avoid detection, the attacker may take steps to cover their tracks. They can delete or archive the original email to make it more difficult for the sender or recipient to identify the changes.
The attacker allows the modified invoice to reach your email inbox, making it appear as if it's from the legitimate sender. They rely on your trust in the sender's email address and the appearance of the email to manipulate you into following the modified payment instructions.
If you proceed with the payment based on the altered invoice, the funds are sent to the attacker's account instead of the intended recipient.
When you receive an invoice, contact the sender via phone and confirm the payment details. Many businesses make it a policy to contact new suppliers via phone to confirm account details and won’t change those details without additional verification.
If a phone call reveals incorrect payment details you need take the following steps:
Contact the sender and let them know you have received a hijacked invoice from them.
If the sender's account has been compromised then an attacker is likely sending fraudulent emails to every contact in the mail account.
If you have made payment on a hijacked invoice call your bank's fraud line and inform them. They may be able to stop the funds from being transferred.
Once you have contacted your bank, use the BSB lookup tool here (https://www.bsbnumbers.com) to identify which bank has the attacker's account. Contact the fraud line for this bank and let them know about the hijacked email.
If you have already paid the invoice there may be a chance to recover your funds, and even if you haven’t made a payment, alerting the bank may help catch the hacker and will prevent others from having their funds stolen.
Receiving a hijacked email however does not mean the sender is compromised, quite often it is your own mailbox that is being accessed by an attacker.
Most email providers provide a way to view where an email is being accessed from. It will also often show failed login attempts and other information. Any login from outside of Australia suggests the account has been compromised and is being accessed by an attacker.
For a Microsoft email (Office 365, Outlook.com, Hotmail.com, Live.com etc.) you can use this link to see your account activity: https://account.live.com/Activity
For Gmail and Google Workspace email accounts you can click the details button from the very bottom right hand corner.
For Bigpond email you will need to contact Telstra support.
If your email has been compromised you will need to lock the attacker out. The first step is to change your password to a unique and complex password that you have not used anywhere else.
If your email has been compromised, it may have been used to gain access to other services you use such as banking or social media, so you should also change your passwords for these services.
Go through your sent emails and make sure there are no unknown emails sent from your account. Go through your recently paid invoices and confirm they too have not been hijacked. Report any suspicious emails in or out and alert senders and recipients.
Setup and use 2fa (second-factor authentication) wherever possible. 2fa is the service in which a code is displayed in an authenticator app on your phone that you input on login.
There are also various security settings that can be enabled depending on your email provider. An IT professional will be able to help you correctly secure your account.
Many free email services such as those provided by ISPs are using older technology and are no longer fully supported by the vendor, and really should be considered insecure. If you have an @bigpond.com or @iinet.com.au account then you should consider moving to a new email provider.
For more information on hijacked invoices and other cyber threats contact the Australian Cyber Security Centre or read more here: https://www.cyber.gov.au/report-and-recover/recover-from/email-compromise/what-do-if-youve-been-attacked
Agree to subscribe terms!