Essentially, the fraudster’s objective is to reroute a due payment to another bank account. Such fraud may originate externally by a deceitful individual or business, or it may be committed by an employee within the victim organization.
The preferred method used by external fraudsters is fake emails and social engineering to impersonate a supplier. Hacks into email accounts to intercept and modify invoices, as well stealing user credentials to impersonate employees, are increasingly popular. While requiring a more competent attacker, we’ve also seen specialized malware targeting Enterprise Resource Planning systems. Meanwhile, malicious insiders might abuse their access to commit fraud, and their familiarity with the environment to bypass controls and cover their tracks.
A recent cybercrime investigation by a KPMG member firm found a fake business email asking the company to remit payment to a different supplier bank account. On receiving the email, the company did not suspect the request to be unusual, despite the bank account being in a foreign country, with the request in an uncharacteristic writing style from an incorrect sender email domain. In this case the company did not call the supplier to verify the change in details. Perhaps most interesting was the method used to perpetrate the fraud. The fraudster first hacked into the email account of the customer’s procurement associate. While intercepting an incoming legitimate invoice, the attackers were able to modify and resend the falsified invoice, asking to change the bank account details. The result: hundreds of thousands paid to the fraudster.
In another high profile case, an international corporation was defrauded using a spoofed voice mail generated by DeepFake AI, as a follow up reminder to a spoofed email allegedly from that same person. The result: a multi-million loss sustained through a single transaction.