End of financial year? Prime time for cyber scams

2/9/2021 12:00:00 AM

The most common are phishing related, where cyber criminals steal people’s passwords and credentials. Seemingly legitimate emails trick recipients into divulging details, which then give the hackers access to the network posing as authorised users. Top-level executives are a prime target for these scams for a number of reasons.

Firstly, CEOs and other executives usually have clearance for all sections of the network. This makes their credentials more valuable.

Secondly, busy executives often don’t notice that the email they’ve received is a scam because it looks legitimate. Because they’re so busy and the email seems to be from a trustworthy source, they often click on the links without thinking twice.

Thirdly, the end of financial year is a time when businesses often receive emailed invoices and other communications, so a CEO, CFO, or even CIO is potentially more likely to take these at face value. Sometimes, attackers create fake invoices that look so real, businesses simply pay them. It then becomes incredibly difficult to recover those funds. Make sure you constantly vet your internal processes and keep communicating to help improve your cyber security defences.

The key to a more successful cyber security stance is a combination of technology, people and processes. And, while many businesses have now invested in strong cyber security technologies, a breakdown in processes and human error are often to blame for successful cyber attacks.

To avoid falling victim, business leaders need to instil a strong culture of security in the organisation. To be successful, this needs to come from the top down. If an executive doesn’t take security seriously then neither will their staff.

To do this requires regular education for employees via training and informal reminders and tips. Businesses need to communicate frequently regarding current threats and standard safety procedures.

Successful training approaches go beyond focusing on compliance, which can be ineffective and not engaging for employees. Instead, companies should consider gamification to increase engagement and excitement around cyber security best practices.

You can go to our Cyber Risk Assessment to see if you are gambling with your cyber and data security and watch a short video.

It’s also important to create an open culture when it comes to reporting potential breaches. Creating a punitive atmosphere only discourages people from coming forward in time to fix the vulnerability. Instead, organisations should praise staff for coming forward, then move quickly to address the breach.

Technology can help augment the people-based approach. For example, threat intelligence tools can automatically identify phishing sites and prevent employees from visiting them. This can help prevent leakage of password-based credentials to unknown sites, even if they aren’t officially categorised as phishing sites. Businesses should also use policy-based multifactor authentication enforced at the network level.

Importantly, everyone in the organisation, but especially management, must be aware that the end of the financial year is a peak time for cyber security scams. They need to remain extra vigilant during this time and refrain from clicking on links in emails, regardless of how legitimate they may look.

While your company should be ahead of the curve with security technology, making sure your people are aware of scams and trained and your processes are solid, can make your financial year end on calmer waters.

Funds Transfer Fraud - A case study

Funds transfer fraud – whereby fraudsters dupe innocent businesses and individuals into transferring what they believe are legitimate payments to fraudulent bank accounts – is becoming an increasingly
common problem for most modern organisations.

However, it’s not always a business that can suffer a loss in this way, but it’s customers too. Customer payment fraud describes a situation in which a business is impersonated by a fraudster, who then
dupes some of the business’s customers into making payments to a fraudulent account.

One business affected by such a loss was a private, tuition-paying school responsible for educating 11-18 year olds. The school in question has boarding facilities in place and attracts students from many
different countries around the world.

Lack of multi-factor authentication lets fraudster in

The scam began when the school’s bursar, the individual responsible for managing the financial affairs of the school, fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this case, the bursar received an email from what appeared to be Microsoft, stating that if he wanted to continue to use the email account without interruption, he would have to validate his account
details online. Not wanting to face any disruption to his work, the bursar clicked on the link provided, which took him through to an authentic-looking landing page where he inputted his email login
details and gave no further thought to the matter.

Despite appearances, however, the landing page was actually fake, and the bursar had unwittingly volunteered his email login details to a fraudster. What’s more, his email account didn’t have multifactor
authentication in place, so the fraudster was then able to access the account remotely and gather valuable information. In particular, the fraudster was able to locate a spreadsheet stored in one of the bursar’s email folders containing a list of email addresses for the parents of current students, which was typically used for distributing general messages and updates from the school.

MFA is an authentication process that is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. Most cases of business email compromise could be prevented by implementing it.

Scam initiated with offer of discount

Having spotted an opportunity, the fraudster moved on to the next stage of their scam. Their first step was to set up an email address that looked substantially similar to the bursar’s, but with the addition of an extra letter to the address line. So instead of saying @abcschool.com, it became @abcscchool.com. The next step was to carefully select which parents to target. Rather than adopting a scatter gun approach and emailing every parent on the list, the fraudster specifically selected parents based overseas. This was presumably done not only on the basis that such parents are more likely to be paying both tuition and boarding costs (thereby making them more lucrative targets), but also in the belief that overseas parents might be more likely to fall for the scam and less likely to raise the alarm to the school.

With the targets selected, the fraudster sent out an email relating to the payment of school fees. The email began by outlining what the annual fees for tuition and boarding amounted to, but then stated
that parents would be eligible for a discount of up to 25% if they paid for the spring and summer terms in one lump sum as opposed to paying separately at the start of each term. To add a sense of urgency to making a payment, the email then went on to say that there was a deadline for payment in place, after which the discount would expire. Social engineering attacks rely on manipulating and exploiting typical human behaviours, and in this case the fraudster was clearly aware that the scam would have a better chance of success if the parents were provided with a financial incentive to make the payment within a set time frame.

In addition, the email was well thought through and included a number of features to make it appear more authentic. For example, not only did the fraudster use proper spelling and grammar and include the bursar’s genuine email signature, he also went on to state that if the student was unable to complete the academic year for whatever reason, then the fees would be reimbursed on a pro-rata basis.

School’s security breach puts parents out of Pocket

Unfortunately, this offer proved to be too tempting for some and six parents fell for the scam, transferring the tuition and boarding fees over to the fraudulent account details provided on the email. With tuition and boarding fees at the school costing some £10,050 per term, the amount paid out by each parent at a 25% discount amounted to some £15,075.

It was only after a few days, when one of the parents that had received the email forwarded it to one of the school’s administrators to check the validity of the discount offer that the school became aware of the scam. The school immediately notified all parents about the scam and urged them to be aware of any suspicious emails that appeared to have come from the school.

Of the six parents affected, just two were able to get their money back

The parents that fell for the scam reported the incident to their respective banks to see if the transaction could be either frozen or reversed, with mixed results. Of the six parents affected, just two were able to get their money back, with the rest left out of pocket to the tune of £60,300 collectively.

As it was a compromise of one of the school’s email accounts that had allowed the fraudster to gain access to the parents’ email addresses, the school felt morally obliged to reimburse those parents
affected by the fraud. Fortunately, the school was then able to recoup most of this loss under the cyber crime section of its policy with CFC, which provides cover for customer payment fraud up to a
maximum of £50,000.

A lesson learned

This case study highlights the need for customer payment fraud cover in cyber policies. Many cyber policies with crime sections will only provide cover for losses that directly affect a policyholder. But in this instance, it wasn’t the school that suffered a direct loss but its customers. However, because it was a compromise of the school’s computer systems that allowed the attack to be carried out, the school felt duty bound to reimburse the parents affected. With more and more financial transactions being carried out electronically and with more and more cyber criminals looking to intercept them, the chances of a business’s customers falling for scams of this nature are only increasing and it’s usually the business that has been impersonated that will take the blame. That’s why it’s a good idea to check your cyber policy for customer payment fraud cover.

Cyber insurance from Towergate

Towergate are actively engaging with insurers and our clients to obtain cyber protection for businesses of all sizes, to protect against the very real and growing threats of the digital age. We can offer cyber insurance for businesses to help protect you should the worst happen.

Get a cyber insurance quote online.

About the author

Mark Brannon Cert CII is a respected industry leader with over 17 years’ industry experience in a variety of roles within the business insurance sector. He works across a wide spectrum of insurance product and policy development, delivery and optimisation for clients, including claims, insurer relationships, marketing and communications, and risk management.