Fraudsters are targeting businesses by hiding malware inside fake invoices emailed to them which then steal online banking credentials, according to new information from Financial Fraud Action UK’s (FFA UK) intelligence unit – the Financial Fraud Bureau.
The new tactic involves fraudsters emailing a business with an invoice purporting to be from a regular supplier or other trusted source. The invoice will be a normal looking word processing or spreadsheet document, however to view the file the recipient has to enable a macro - a set of pre-programmed instructions for a computer. Unknown to the user, this macro actually installs malware - malicious software - onto their computer.
The malware, which can infect the business’ entire computer network, will then log the company’s online banking credentials, along with other financial information, before sending it back to the criminal. The data is then used to steal money from the business’ bank account.
It is thought that fraudsters are changing their tactics as businesses become increasingly aware of the threats posed by unsolicited phishing emails. In this new method, criminals often try to mimic the email address of a legitimate supplier, or compromise their email address, in a bid to trick the recipient into thinking the invoice is genuine. In some cases, fraudsters will even replicate the email address of someone working in the same company as their victim, tricking them into thinking the invoice has come from a colleague or manager.
To avoid becoming a victim of the scam, accounts departments are being warned to:
• Be on the lookout for unexpected invoices or unusual payment requests, especially those arriving in different file formats to normal.
• Avoid enabling any macros on an untrusted document. (Macros in themselves are not dangerous and do serve a legitimate purpose - but they can be used to hide malware).
• If you’re suspicious - don’t reply to the email but instead call your supplier on the number that you have on file to check the authenticity of the invoice.
• Ensure you have the latest anti-virus and security updates installed on your computer and consider using high-level macro security settings in software applications.
• Ensure strong firewalls are in place to help detect malware and prevent data leaving the network without permission. This can be achieved through investing in IT and seeking professional advice.
• Consider using a separate computer dedicated to making online payments to minimise security risks
Katy Worobec, Director of Financial Fraud Action UK, said:
“Businesses need to be on their guard - fraudsters will do all they can to trick you into thinking their email is genuine, so always double check. Never enable a macro if you’re at all unsure about the authenticity of an invoice and instead call the sender on the number you have on file. If you think your computer system might be infected then contact your bank immediately.”