Fake Invoice Attacks Are on the Rise – Here’s How to Spot Them

False Invoice Scam

Businesses around the world are being targeted with a cyber-attack that sends victims a fake invoice that looks real enough to fool to most people. It is based on an old scam that used to see invoices faxed or mailed to the victims and now it has made its way into the digital world and instances are on the rise.

You may have already seen some of the less effective attempts – an email advising your domain is expiring (except it’s not from your host and your domain is nowhere near expiration) or others that describe a product or service you would never have purchased.

The new attacks though are much more advanced as they look completely legitimate and are often from contractors and suppliers you actually use. The logos are correct, spelling and grammar are spot on and they might even refer to actual work or products you regularly use. The senders name may also be the normal contact you deal with at that business as cyber criminals are able to ‘spoof’ real accounts and real people. While it is worrying that they know enough about your business to wear that disguise so well, a successful attack relies on you not knowing what to look for.

Here are two types of invoice attacks you may receive:

1) The Payment Redirect

This style of fake invoice either explicitly states that the payment should be made to a certain account (perhaps with a friendly note listing the new details) or includes a payment link direct to a new account. Your accounts payable person believes they are doing the right thing by resolving the invoice without bothering you and unwittingly sends money to a third party. The problem may not be discovered until an invoice from the real supplier comes in or the transaction is flagged in an audit. Due to the nature of international cyber crime, it’s unlikely you’ll be able to recover the funds even if you catch it quickly.

2) The Malware Link

Rather than an immediate cash grab, this style of attack asks your employee to click a link to download the invoice. The email may even look exactly like the ones normally generated by popular accounting tools like Quickbooks, Xero or MYOB. Once your employee has clicked the link, malware is downloaded to your systems that can trigger ransomware or data breaches. While an up-to-date anti-virus should block the attack at that stage, it’s not always guaranteed (especially with new and undiscovered malware). If it does get through, the malware quickly embeds itself deep into your systems and often remains silent until detected or activated.

How to Stay Safe

Awareness is key to ensuring these types of attacks have no impact on your business. As always, keep your anti-virus, firewalls and spam filters up to date to minimize the risk of the emails getting through in the first place.

Secondly, consider implementing a simple set of procedures regarding payments. These could include verifying account changes with a phone call (to the number you have on record, not the one in the email), double checking the invoices against purchase orders, appointing a single administrator to restrict access to accounts or even two-factor authorization for payments. Simple preemptive checks like hovering the mouse over any links before clicking and quickly making sure it looks correct can also help. If anything looks off, hold back on payment / clicking until it has been reviewed. Fake invoices attacks may be increasing, but that doesn’t mean your business will become a statistic, especially now that you know what’s going on and how you can stop them.

We can help increase your security, talk to us today. Call us at 08 8326 4364 or on su*****@dp*********.au

Protecting Your Ecommerce Platform from Hackers in 2018

Security

 

2017 saw an increase in cybercrimes in Australia. Back in May, News.com.au reported on the massive ransomware attack across the world, mentioning that at least three private businesses in Australia were hit. While Australia didn’t experience any major attacks, other countries suffered losses. In total, the incident affected around 200,000 people in 150 countries. Countless computer systems were examined in relation to the extortion plot where users would get kicked out unless they sent payment.

2018 brings a clean slate of opportunities for online businesses to strengthen their security systems. Ecommerce platforms are the most at risk, since they involve payments and valuable information. In determining how strong your website’s defense is against hacker threats, consider some of these factors:

Customer data

Identity thefts will not occur if there is nothing to steal. Therefore, you should refrain from saving any customer data that isn’t important to your business. Storing payment card details is against PCI (Payment Card Industry) standards anyway. These details are usually handled by the payment provider. What you can do is use an encrypted checkout tunnel so that your servers won’t save any payment data.

Firewall

For your ecommerce business to have decent security, it should at least be able to withstand common attacks. Business2Community suggests to begin with a firewall, because it weeds out the untrusted networks and controls the website traffic. Firewalls serve as a great first line of defence against the usual hacking threats.

DoS and DDoS Protection

Once in a while, your server may be attacked by malicious queries that intend to keep your website from functioning properly. These Denial of Service or Distributed Denial of Service attacks can keep you out of business for a long time, which is why security measures should be taken to prevent them. DoS and DDoS raids can come from different sources, like applications and traffic flooding.

The best defence is to invest in more bandwidth, since a large amount of space will render it difficult for attackers to flood your site. The downside is that this is also the most expensive solution. However, it’s in your best interests to spend on security. DP Computing previously explained the importance of not being cheap when it comes to security technology, as it serves your business in the long run.

HTTPS

Another DP Computing article advised to pay close attention to the URLs on Google, because hackers would sometimes use phishing scams to acquire sensitive information from customers. These involve links that if accessed, will install malware on your PC that can steal information.

When checking URLs, be wary if the website uses only HTTP. It is more appropriate for ecommerce platforms to use HTTPS, especially on pages where data is created. Unlike in HTTPS, information entered on HTTP is not encrypted. The data is only sent as plain text, making it an easy target for hackers to intercept. Although, remember that not all website pages need to be in HTTPS, or else your website speed will suffer.

Pay attention as well to how your website appears on Google search results, especially if your business is using paid search ads. Ayima noted that Google has improved its algorithm on paid search ads, stating that emphasis is placed on close variants. This means that advertisers will have an easier time of building lists to match user queries. Since paid ads are becoming more rampant now, hackers have taken the opportunity to promote their malicious sites in order to fool thousands of victims. If by any chance, your website’s ad appears shady or seems similar to a malicious ad, take it as a sign to rethink your campaign.

In today’s digital landscape where hackers are getting more creative with their attacks, the importance of cyber security cannot be stressed further. For ecommerce businesses, security investment should be one of the top priorities. Left unchecked, your website could close down at any time, resulting in huge losses in revenue.

 

Why You Need A Multi Layered Approach To Security

Multi layered security

Firewalls are a well-known security essential, and we are certainly big fans, but did you know a firewall alone is not enough to keep your business safe? It is like building a fence around your house to keep the burglars out: You feel safe, private and secure… but the reality is, anyone with a ladder, enough motivation or ninja skills poses a real threat. That is why despite every networked business having a firewall in place, security breaches are increasing at an alarming rate – further protections are still needed.

Without these additional protections, once the firewall is beaten or bypassed it’s like a fox in a hen house. The bad guys are free to view and download files, make changes, and even take over your systems completely. That’s why computer security works best when it’s multi-layered. When one protection fails, the next layer kicks in to keep your business safe. And then the next, and the next…but that doesn’t mean you need CIA level security that gets in your way.

A few strategic, well-planned measures can provide all the protection your business needs to keep operating without costly downtime. While it’s cool to imagine a system so secure you’ll be opening doors with retinal scanners the reality is infinitely more usable and affordable. In fact, we’ll help you choose the perfect measures that blend invisibly into your existing processes, boosting security without affecting productivity. Take a look at some of our offerings:

Proper firewall device
While not enough by itself, your firewall is still your first line of defence. However, there’s a huge difference between the generic firewall that comes standard with your broadband router and a dedicated hardware firewall appliance. Our technicians will work with you to identify which firewall is suitable for your business.

Corporate Grade Antivirus Software
A free antivirus program might be ok for home use but do you really want a free program with no backup or support protecting your confidential business data and financial information?

Access restrictions
We’ll help you give employees access to only the files they need to do their job. It’s not a matter of trust, but rather one of security. If they were the one to accidentally let the attackers through the firewall, perhaps by clicking an email link, you’re then able to limit the damage. Without this added layer of protection, it’s relatively easy to access any and all files.

Encrypt confidential files
More secure than simply password locking a file, this uses a secret ‘key’ to scramble the files and their contents, so that when anyone else tries to view them all they see is incomprehensible nonsense. Our technicians can setup an encryption system for you so that approved users can use them normally while all files remain secure.

Backups
As nothing is totally 100% secure no matter what features you implement a backup is a necessity. Having your data backup on multiple removable devices (stored both locally and offsite) as well as a cloud based backup is a must.

DP Computing offers security services to make sure all our clients are protected and all their security products are operating at 100% efficiency. Threat analysis, prevention, management and response are all included so your focus can remain on growing your business and we’ll take care of the bad guys.

Give us a call at 08 8326 4364 or via email at da***@dp*********.au about multi-layered protections for your business.

Don’t Become a Victim of Social Engineering

Social EngineeringYou can have the best in computer and network security but if you or one of your staff members inadvertently give out some information all the security can come to nought.

Social engineering is the art of manipulating other people to take certain actions or divulge private information. Some hackers use social engineers techniques and skip the hassle of writing code and go straight for the weakest link in your security defenses – you and your employees. A seemingly innocent phone call or email may be all it takes to gain access to your computer systems, despite having solid software and hardware protections in place.

Here are a few ways on how social engineers work:

Email: Pretending to be a co-worker, supplier or customer who needs a simple piece of information. It could be a money transfer, contact person or some sort of personal details that they pretend they already know, but simply don’t have in front of them. The hacker may also create a sense of urgency or indicate fear that they’ll get in trouble without this information. Your employee is naturally inclined to help and quickly responds with a reply.

Phone: Posing as IT support, government official or even a customer, the hacker can manipulate your employee into changing a password or giving out information. These attacks are hard to identify and the hacker can be very persuasive, even using background sound effects like a crying baby or call-center noise to trigger empathy or trust.

In person: A person in uniform or a repairman can easily get past most people without question. The social engineer can then quickly move into sensitive areas of your business. Once inside, they become invisible and are free to install network listening devices, read a Post-it note listing passwords or gain information and tamper with your business in other ways.

It’s impossible to predict when and where (or how) a social engineer will strike. The above attacks aren’t particularly sophisticated but can be extremely effective. Your staff have been trained to be helpful, but this can also be a weakness.

So what can you do to protect your business? First, recognize that not all of your employees have the same level of interaction with people, the front desk person taking calls and welcoming visitors is at higher risk than the back office or factory worker. We recommend cyber-security training for each level of risk identified and focus on responding to the types of scenarios like those listed above. Social engineering is too dangerous to take lightly.

Talk to us about your cyber security options today. Call us at 08 8326 4364 or at su*****@dp*********.au