Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
Understanding common cyber-attacks is crucial for staying one step ahead of the scammers who want to defraud your company. And one of their most popular tactics is social engineering.
Let’s take a look at different types of social engineering and some real-world examples of socially engineered attacks.
In 2017, a group of cyber-attackers targeted Google and Facebook employees using a business email compromise (BEC) scheme. Incorporating a fake company and creating legitimate-looking emails, the attackers posed as Quanta Computer, an established hardware manufacturer that worked with both Google and Facebook.
They emailed fake invoices to employees, ones who often managed large transactions with the real Quanta. These employees ended up facilitating more than $100 million in payments to the fake company’s bank accounts.
So how did capable employees at some of the world’s biggest tech companies get bamboozled? For starters, the ostensible ringleader, Evaldas Rimasauskas, had in-depth knowledge of corporate invoicing systems. To avoid scrutiny and build trust, he even forged executives’ signatures and created fake embossed corporate seals.
Hackers accessed more than 100 high-profile Twitter accounts in 2020, including the accounts of Bill Gates, Warren Buffet, Barack Obama, Elon Musk and major brands like Apple. It was the product of an earlier social engineering attack, one that Twitter described as a “significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
In this example of social engineering, hackers used phone spearfishing, a technique that relies on highly targeted manipulation against a select number of recipients. Through these phone calls, hackers were able to access employee credentials and gather information about Twitter’s internal processes.
From there, they targeted even more employees – and, unlike some of the earlier targets, these employees had access to critical support tools that would allow the malicious actors to eventually gain control of high-profile accounts.
In 2019, when an employee of a UK-based energy firm received a call instructing him to make a fraudulent payment, he did it right away.
Why? Because the voice on the other end sounded exactly like his boss, the chief executive of the firm’s parent company. Authorities believe that fraudsters used AI to closely imitate the German executive’s accent and voice by phone. It’s the type of deep fake technology that’s making it easier to fake audio and even video of trusted contacts.
This is the sort of social engineering example that should make CFOs think twice – technology is making it easier and easier to impersonate writing styles, voices and even faces. And, in many organisations, financial controls aren’t evolving at the same rate.
We all know the feelings of frustration when a computer doesn’t work the way we need it to. It slows us down and stops us from finishing urgent tasks. By the time someone turns up and offers to fix that computer glitch, we’re ready to name our firstborn after them.
But what if the person offering to fix the glitch was the person who deliberately caused it in the first place?
Consider the following scenario.
A cyber-criminal named “Jim” buys a cheap pre-paid mobile phone, which he uses to call an AP officer named “Sandra” at a company he’s hoping to defraud.
Jim phones Sandra and pretends to be calling from the company’s IT help desk. He claims that other employees in the company have been reporting connectivity problems and asks whether she has also been experiencing those problems.
She tells him that she hasn’t. Jim says he’s trying to identify which network port seems to be causing the issues. He asks her to check the network cable connected to her computer and to let him know the port number, so he can rule out that port as the faulty one.
Sandra provides Jim with the port number. He then advises her to call him on his mobile number if she experiences any connectivity problems in the future.
Three days later, Jim phones the company’s Network Operations Centre (NOC). This time he claims to be “Bill” who works alongside Sandra in the AP team. He tells the NOC representative that they’re trying to troubleshoot a connectivity problem and they need to disable the same port that’s connected to Sandra’s computer.
The NOC representative complies and advises Bill to let him know when the port needs to be enabled again.
With the port disabled, Sandra can’t connect to the company’s network. This makes it impossible for her to gain access to the email accounts and files she needs for work, naturally making her feel anxious.
She immediately phones Jim to ask for help.
Jim tells Sandra that he’s very busy dealing with a lot of connectivity problems across the company, but he sympathises with her frustrating situation. He assures her that he’ll try to resolve her problem as fast as possible.
“Bill” places a call to the NOC to have the port to Sandra’s computer re-enabled. This restores Sandra’s connectivity, so she can get on with her work.
Jim then calls Sandra back to check that her computer is working properly now. She confirms it is and thanks him for his help.
Jim advises Sandra that if she downloads a particular type of software, it will fix the problem and she will not experience any further connectivity issues. Given that he has just helped her, Sandra has a high degree of trust in Jim and proceeds to download the recommended software.
Little does Sandra realise that she’s just installed malicious software (malware), specifically a Remote Access Trojan (RAT). Malware infections have been activated, giving Jim unfettered access to Sandra’s computer through a hidden backdoor.
Sandra and the NOC representative have fallen victim to a social engineering attack. The path is now clear for Jim to access the vendor master file, manipulate supplier records and ensure that invoice payments are directed to a bank account he controls.
All of these social engineering examples and hypotheticals share an important commonality: they might involve technology, but malicious actors only succeed once they’re able to exploit human error.
While greater awareness and training are vital, your solution shouldn’t depend on employees being infallible at all times. Under the wrong circumstances, even the most cautious of employees can be persuaded to give up valuable information like login credentials or phone numbers.
Instead, you should also be looking at your processes, procedures and tech stack. Where can you introduce automated controls or processes, helping to reduce the risk of human error and building more secure, compliant and efficient approaches into every workflow?
After all, cyber-criminals aren’t sticking to old-fashioned methods when they try to defraud your company. So why would your company stick to old-fashioned methods to stop them?
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.