News

Fraudsters use fake invoices to target firms

Posted at April 13, 2015 | Categories : News

Fraudsters are targeting businesses by hiding malware inside fake emailed invoices which then steal online banking credentials, according to Financial Fraud Action, the UK’s fraud intelligence unit.

The new tactic involves fraudsters emailing a business with an invoice purporting to be from a regular supplier or other trusted source. The invoice will be a normal looking word processing or spreadsheet document, however to view the file the recipient has to enable a macro – a set of pre-programmed instructions for a computer.

Unknown to the user, this macro actually installs malware which can infect the business’ entire computer network and will then log the company’s online banking credentials, along with other financial information, before sending it back to the criminal.

Criminals often try to mimic the email address of a legitimate supplier, or compromise their email address, in a bid to trick the recipient into thinking the invoice is genuine. In some cases, fraudsters will even replicate the email address of someone working in the same company as their victim, tricking them into thinking the invoice has come from a colleague or manager.

To avoid becoming a victim of the scam, accounts departments are being warned to:

 Be on the lookout for unexpected invoices or unusual payment requests, especially those arriving in different file formats to normal.

 Avoid enabling any macros on an untrusted document. (Macros in themselves are not dangerous and do serve a legitimate purpose – but they can be used to hide malware).

 If you’re suspicious – don’t reply to the email but instead call your supplier on the number that you have on file to check the authenticity of the invoice.

 Ensure you have the latest anti-virus and security updates installed on your computer and consider using high-level macro security settings in software applications.

 Ensure strong firewalls are in place to help detect malware and prevent data leaving the network without permission.

 Consider using a separate computer dedicated to making online payments to minimise security risks.