Deceived By An Invoice

The pit in Steve’s stomach grew with each passing second. Just last week, he'd approved an invoice from a seemingly familiar vendor. Now, talking with the vendor on the phone, he is realizing the awful truth: He paid a fake invoice.

Sadly, this is not an isolated incident. International organized crime, not lone hackers, appear to be orchestrating the majority of these sophisticated scams. They exploit gaps in email security, gather intelligence, forge identities, create authentic-looking invoices, and siphon away hard-earned money.

To protect your business you need to know… 

  • how this happens,

  • what goes on ‘behind the scenes’,

  • what you can do to prevent it,

  • and how to respond if it happens to you.

Invoice fraud explained

Let’s call our hacker Jamie… Jamie usually purchases stolen credentials or session cookies on the dark web (often from the data breaches that are now so commonplace, only the big ones make the news) or he may trick a target into providing their username, password and even 2 factor authentication codes by getting them to visit a fake login site. He usually targets organizations where large sums of money are regularly transferred (i.e. banking, real estate, manufacturing, construction, etc). 

Using the stolen access credentials, Jamie was able to search through Steve’s customer and vendor records, financial information, and importantly – his email account. Jamie quietly monitored messages. Once he saw a big deal coming together, he registered a domain that was similar to the vendor’s domain and set up matching email accounts.  As the vendor was about to send their invoice, Jamie set up mail filtering rules on Steve’s account that rerouted legitimate email from the vendor to Steve’s Junk Mail folder and automatically marked it read.  Jamie then copied the contents of the legitimate message, added new payment instructions to the invoice and then sent it on to Steve, posing as the original sender.

Steve was expecting the invoice, and the details looked good, so he authorized payment.  Steve didn’t notice anything was wrong until he received a phone call from the vendor a week later, asking when they would be paid.  

Organized crime and romance

After Steve approved the invoice, the funds were routed from his company’s bank account to a legitimate account with verifiable contact information.  But this information was not Jamie’s, and it’s not another hacker’s – surprisingly in many instances these bank accounts are well established checking accounts held by regular US citizens.  But why send the money there?  How does the money get to Jamie?

Several months prior to Steve’s incident, a woman, we’ll call her “Elenor”, was browsing an online dating site, looking for companionship. Her husband had passed away a few years back. She was slowly starting to warm up to the idea of speaking with strangers, when a connection request came through from a very interesting and handsome man, we’ll call him “Paul”. Paul’s profile showed that he was empathetic and caring, he was a widower, also looking for a friend.

As time progressed, Paul and Elenor exchanged many email messages and phone calls, but Paul traveled regularly and never seemed to be able to align his schedule to meet up with Elenor in person. They were attached at the hip though, even sending photos of their families and texting sweet messages throughout the day.

Then the small requests started… Paul, with some embarrassment, let Elenor know he’d run into a bit of trouble recently due to a misunderstanding. He was waiting for a check to come in and was short a few hundred dollars to pay an overdue bill. He asked if she could help him out and he would pay it back within a week. He did, however, the personal requests started to become more frequent.  He always had a good explanation, but she appreciated their relationship and was happy to help him out.

One day, Paul mentioned that there was an issue with his bank account and that he was expecting a very important payment. He asked if the money could be sent to her account. He needed her to withdraw it in large bills and overnight the money to him the same day. Paul told her to keep $1000 for herself, for the trouble.  He had proven trustworthy in the past, so she agreed. But this is where our stories intersect. Elenor received the money from Steve’s company. She withdrew the bulk of it and sent it via FedEx to the address given by Paul, relaying the tracking number back to him. 

By the time Steve realized the switch and contacted his bank, the money was gone.  

Paul didn’t provide his own address, he had set up a new Airbnb account and booked an apartment that he never intended to visit.  Instead he relayed the details to a money mule. She stops by, grabs the package from the doorstep and forwards it on to another node in the network.  The cash is in the hands of organized crime. It gets converted to crypto currency and eventually Jamie gets his cut.  

This story is generalized based on our own investigations and public sources.  There are variations on the theme but these romance scams and invoice fraud are a globally distributed operation, involving multiple organized crime groups, conducted at scale. The impact on businesses is both devastating and widespread. In 2023 the FBI’s Internet Crime Complaint Center (www.ic3.gov) received nearly 18,000 complaints of confidence / romance scams and over 21,000 complaints of Business Email Compromise, resulting in $2.9B in losses.  However, this appears to be only a fraction of the real volume. Experts agree, these scams are vastly underreported. 

Spotting the signs

These cybercriminals are no amateurs. They are clever, exploiting vulnerabilities in communication channels and preying on unsuspecting organizations. Steve’s company was no exception. There are warning signs that people can watch for: 

  • Read the email address carefully - Before you take action, take some time to inspect the email closely.  Look at the full email address (not just the given name). Check the domain name. Look for small misspellings, typos, other inconsistencies compared to prior email conversations.  If something feels off, listen to your intuition and seek a second opinion

  • Search for that exact email address in past messages - If you’ve been conversing with a vendor for a while but those conversations don’t appear in search results, this may be a fake sender

  • Report unexpected push notifications - If you see two factor authentication notices come in either via text message, push notification, or you receive a note of a recent login and you’re not logging in at that moment, report these to your IT/security team immediately, it is likely that someone has your password

  • Confirm all requests to change banking details or payment methods out of band - If the request comes in via email, call them using the phone number from their website; not from your contacts or from their email message.  This goes for employees wishing to change their direct deposit details as well

  • Do not trust Caller ID - Do not provide information to anyone who calls you. Caller ID can be spoofed, they can play fake hold music, transfer you to other members of “their team” etc.  Instead, politely decline. Ask for their name, company, office, department, etc. and then hang up. Google the business, locate the official main number from their website, call that number and ask to be transferred to the person. It’s a lot harder for an adversary to hack a website and change the number or to intercept your outbound call. 

  • Read the message carefully - Phishing messages often contain inconsistent language, grammatical or spelling errors, old logos, different style or branding. They may be surprisingly short, ask you to scan a QR code, or request to move the conversation to text message or another platform outside of corporate security filters 

  • Be wary of an urgent tone, demanding immediate action - By raising the perceived risk of negative consequences, i.e. “Final warning: service will be disrupted if you don’t renew your domain registration today!” or “Your mailbox has reached capacity and new mail will not be delivered” people are more likely to act without thinking through the possible consequences

  • Don’t trust the links - Mouse over the link and check the target (often visible in the lower left corner of your browser window)  If you must click, right click and copy the link to the clipboard.  Go to your browser, paste the link in the address bar and, before pressing go, review it carefully for spelling mistakes or other subtle differences.  Read all the way from the https:// to the next /. This portion of the URL is processed from right to left.  

    • https://mybank.com.someothersite.com/ may be fraudulent

    • https://mybank.com/ is valid 

    • (this is particularly important on mobile devices where the address bar is short or may not be shown at all)

What to do if your business falls victim

Discovering that your business has fallen victim to invoice fraud can be devastating, however a quick response can limit the impact.  

  • Report the fraud to your bank immediately 

    • Those receiving the funds are often told to act as soon as the funds appear in their account, withdrawing or transferring the money, however if you contact your bank quickly we’ve seen instances where the money has been recovered

    • The bank and law enforcement can contact the account holder and help them learn the truth. They may be able to gather additional evidence that can be used to help expose and disrupt the crime ring

    • When the crime goes unreported, the Elenors are often used to launder additional funds perpetuating the cycle.  These “relationships” can run for years, amplifying the harm

  • Engage experts in incident response (we can help) 

  • Gather the logs and look for indications of compromise 

    • Unexpected logins

    • Access from regions where travel has not occurred

    • Presence of new email routing rules

    • Alternate 2 factor authentication methods

    • Changes to account recovery mechanisms 

    • Unexpected connections to cloud applications

    • The presence of an alternate identity provider in Microsoft 365 or Google Workspace

    • Newly granted admin roles

    • If you use Login with Google and your Google account is compromised, review all of the sites that use that sign in method for unauthorized activity. (The same is true if other identity providers are compromised: Login with Microsoft, Facebook, iCloud, Salesforce, Okta, Ping, Duo, etc - you need to look at the connected sites here as well)

    • If the affected users were in the habit of reusing passwords, check all accounts where those passwords were used for unauthorized activity (even if they are tied to different email addresses)

    • Check for unexpected activity on the accounts used for account recovery (i.e. that aol.com email you used when you set up your Gmail account)

  • Lock out the adversar(ies) - yes there may be more than one 

    • Reset passwords

    • Reset 2 factor authentication tokens

    • Invalidate login sessions

    • Secure affected points of entry (accounts, firewalls, computers, phones, etc.) - This may include turning off affected devices until they can be forensically reviewed and cleared

  • Reverse changes made

    • Review and address all unauthorized actions (prioritizing accounts with administrative rights first)

  • Report the incident to law enforcement

    • The evidence gathered can help expose and disrupt the crime network

    • It can help other victims and prevent further exploitation 

    • If the adversary was successful, they may try again or they may sell the access to others. You or your business may be tagged as an “easy mark” increasing the number of attempts 

    • If personal information (PI), protected health information (PHI) or other regulated/controlled data was exposed, you may be legally required to report to the matter law enforcement and/or government officials.  Some regulations include timelines that must be followed. We recommend consulting with legal counsel in such matters 

  • Implement recommended countermeasures - Incident reports often will include a list of recommended steps to prevent a recurrence and/or shore up other weaknesses that are discovered. Consider these carefully and act

Business leaders do not have to go through this alone – nor should they. If your team doesn’t have the necessary expertise, we can provide tailored guidance to prevent, respond and recover from these events. 

Defending against invoice fraud

As the ancient saying goes —  ‘It is better to prevent than to cure’ — we recommend that businesses take the following steps to safeguard themselves against invoice fraud:

1. Scrutinize every invoice: Steve’s mistake? A quick glance. Next time, scrutinize everything. Take a second look at the warning signs above and keep an eye out. 

2. Document payment procedures: Consistent and careful handling of invoices is more likely to occur when the policy is written down, staff are trained and performance is regularly audited.

  • Adapt and codify recommendations as they relate to your business

  • Keep a spreadsheet with validated payment details for each approved vendor (contact person, direct phone number, main phone number, email address, bank routing and account number, last verified date, etc.) and confirm all changes out of band (i.e. if a change comes through via email, call to confirm using a previously validated phone number - not the one in the email or your Outlook contacts list)

  • Have two authorized individuals review and approve all invoices above a set threshold before payments are made. Two sets of eyes are often better than one and the delay can give time for the fraud to be discovered

  • Require written confirmation from employees that all bank account details have been validated before processing a payment

3. Educate your team: Having a policy isn’t enough, share these stories, train your staff, and test them. 

  • Provide regular security best practices training to all employees (this is not a once and done event)

  • Create a culture that allows people the time to consider the signals and seek a second opinion when they are unsure or suspicious

  • Congratulate staff when a scam is thwarted 

4. Conduct background checks: Vet clients and vendors to ensure their legitimacy. 

  • Verify their business registration

  • Check for negative reviews or feedback online

  • If they are willing to provide references, follow through and check them out 

  • Where possible avoid doing business with organizations where email is the only means of communicating

5. Implement proactive defenses: 

  • Everyone

    • When traveling, use your phone’s hotspot rather than free wifi at hotels, coffee shops, airports and airplanes - attackers can impersonate these networks and divert you to look alike login pages to steal your username, password, 2 factor code (text message, authenticator and push notifications) as well as the resulting session token. These may be used by the adversary or sold to others

    • Update your computer, phone and applications regularly 

    • Download software only from the original manufacturer, mainstream sources or the official app store for your device. Check the reviews (not just the stars) and do not sideload apps.  Browser extensions should treated with special caution as well (they can read and modify any page that you visit and send data to adversaries)

    • Remove apps and extensions you no longer use

    • Replace your computer, tablet, phone, wifi router, etc. when the manufacturer stops releasing security updates (Google “{device name} end of life end of support”) - Although it may continue to work, vulnerabilities that are subsequently discovered will not be patched. Scanning and exploitation are automated and may provide attackers with a foothold

    • Avoid using text messaging (SMS) for 2 factor authentication - it is possible for adversaries to intercept text messages or convince your phone carrier to assign your number to a phone in their possession 

    • Do not reuse passwords - Every time you set up an account, you are trusting that site to keep your password a secret. You have no way of knowing how they are protecting that information.  If they suffer a breach and their user database is stolen, it may be trivial for an adversary to extract your password, or it may be very difficult — we don’t know. Some companies disclose their password handling standards, many do not. If you reuse your strong, super-secret password on multiple sites, it is only as secure as the weakest link. If one site loses control, or you are tricked into entering it on a look-alike site, that secret is lost and your other accounts are at risk.  For now, we recommend using one password per site and keeping track with a password manager (Bitwarden, LastPass, and 1Password are good choices). Let the password manager generate a strong 16-20 character full random password for each site, this way if one site loses your password, or you are tricked into providing it, the damage is limited.  (Password managers have other benefits a well, but more on that another time) 

    • When you have to generate a memorable password (i.e. when setting up your password manager) use multiple words strung together in a nonsensical order with numbers and symbols mixed in. The longer the better. The resulting passphrase should not include sequential characters, common phrases, song lyrics, etc.  Substituting symbols for characters in short passwords (3 for e and @ for a) provides little benefit and is not recommended 

    • Review your account recovery settings

      • When answering security questions, do not tell the truth. With the amount of information that's available via Google and social media searches, truthful answers can be the weakest link. Keep your answers in your password manager

      • Don’t use your mobile phone number for account recovery 

      • Secure that old email account 

    • Watch for signs of romance schemes among your colleagues, friends and loved ones. If they’ve never met the person in real life or had a live video call, something may be amiss.  The FBI has more tips published here

  • Administrators

    • Draft a Written Information Security Policy that includes an incident response plan so that you’re not caught flat footed, wondering what to do when an incident occurs

    • Configure anti-spoofing protections for email 

      • SPF (Sender Policy Framework) - a DNS record that declares which email services are authorized to send mail on behalf of your organization

      • DKIM (Domain Key Identified Mail) - a DNS based means of validating that messages were in fact sent from your official mail servers

      • DMARC (Domain-based Message Authentication, Reporting and Conformance) - a DNS based instruction to mail servers on how to handle messages that fail SPF and DKIM validation checks and whether or not to report them to you. When properly configured this can provide an indication of attacker behavior and pre-positioning

    • Secure your domain registration account (use a full random password, 2 factor authentication and named accounts if possible) - it can be game over if an attacker gets control

    • Register look-alike and common mis-spellings of your domain so that adversaries cannot. Include alternate Top Level Domains as well (not just .com but, .org, .net, .co, .io etc) 

    • Set your domain registrations to renew automatically and keep payment information current

    • Require 2 factor authentication for all accounts and utilize strong, proxy resistant, factors (i.e. Yubikeys, Passkeys) where possible

    • Set up conditional access policies that restrict login from TOR exit nodes and countries your users do not travel to 

    • Connect corporate cloud services to a single strong Identity Provider (IDP) and/or deploy a corporate password manager  

    • Consider implementing advanced email scanning (attachment detonation, link following, domain age checking) 

    • Limit email communications for accounts payable and accounts receivable teams to known domains via routing rules

    • Regulate OAuth based apps / cloud to cloud integrations and carefully review permissions - By default there is nothing stopping a user from granting a malicious app full access to their email account which would persist even after changing their password and resetting session tokens 

    • Review log retention settings - These vary depending on the cloud provider and your license level. Some logs are overwritten within hours if they are not being sent to a Security Information and Event Management system (SIEM).  Capturing everything for all time will not be productive or cost effective and can sometimes bury the signal in a pile of noise. It is important to strike a balance

    • Monitor suspicious activity reports - Having logs with no one watching them is like building a security desk and installing cameras but not hiring a guard.  Records are useful when it comes time to investigate, but proper monitoring and automation could have caught the intruder immediately

Although the recommendations outlined here may seem like a lot, the good news is that they are part of a comprehensive set of best practices that help defend against many other threats.    

Next steps

At every size and stage of business it is important to work closely with IT and security professionals to regularly review processes and systems, to identify potential vulnerabilities and close gaps.  Done well, these changes can often improve security and operational efficiency.  

Take your next steps today. Reach out. We would be happy to help. 

More to the story

The story’s not over. It gets weirder still; not all of the “Pauls” are willing criminals. Some are the victims of human trafficking schemes themselves. Tech savvy individuals, lured from their home countries by the promise of a good job only to be held at the threat of violence or death unless they engage in these crimes. Read more about it here where one center in the Philippines was recently raided and 658 people were freed.  It is important to note that this organization was looking for physically attractive individuals and they were sharing actual images of themselves with their victims.  

On a related note, we are seeing an anecdotal rise in fraudulent US federal tax filings and have learned that the IRS doesn’t validate the bank account and routing numbers provided to receive refunds. We suspect that this may have a tie back to romance scams as well. It’s not a great leap for Paul to say that he needs Elenore’s help to get his tax refund.  The delays in discovery are also much longer as the victim doesn’t know that their taxes have been filed until they try to file themselves.  More on that in a future blog post. 

If you suspect that you have been, or are involved in a romance scam, or have been the victim of the computer crimes discussed here, please visit www.ic3.gov and file a complaint. It is important to disrupt this payment processing network. The crime continues because the money flows.

We are Uncommon Catalyst – An award winning, uncommon consulting firm, providing business and government leaders with the clarity and confidence to act. Our services encompass strategy, IT, and cybersecurity consulting for local, regulated and global cross-sector organizations. 

Reach us at:  info@uncommoncatalyst.com | 617.315.8771