$120 million, that was the price tag for Google and Facebook. Over the last few years, a hacker named Evaldas Rimasauskas scammed the two corporate giants out of significant amount of cash with an attack known as business email compromise aka invoice fraud. Rimasauskas has since been caught and was recently sentenced for his crimes. However, the attack remains very common. So much, in fact, the FBI’s Internet Crime Complaint Center warned companies last year that these types of attacks are becoming more and more prevalent. Organizations of all sizes, SMB’s to multinationals, are being targeted and falling victim to the scheme. This blog discusses how the scam works, the effects it can bring, and how to use blockchain to protect corporate and customer interests.
How the Scam Works
The scam is a phased attack where the attacker’s basic steps are:
- Phishing: Gain access to a corporation’s digital environment with a phishing email campaign.
- Recon: Conduct reconnaissance to get a feel for the real operations of the business.
- Plant Fake Documents: Create a fake invoice (and optionally any other fake collateral to support it) that mimics a real partner/contractor account. Then insert it into the organization’s normal business flow.
- Collect Your Money: Have the invoice amount sent to a personally controlled bank account.
- Rinse and Repeat: If the scam went undetected, the attacker just might send another one to the same victim? (It’s not uncommon.)
The Inevitability of the Click
Years ago in a Data Breach Investigation Report, Verizon discussed what they termed ‘The Inevitability of the Click’. The term is still just as relevant today. Essentially, the concept refers to low effort it takes to run a successful phishing campaign. Given enough emails, someone is going to click on a link or attachment and unknowingly let an attacker blow right past their (state of the art) security perimeter. (Social engineering is a lot harder to combat.) From the statistics Verizon collected, in order to get a 50% probability of someone clicking, an attacker only needed to send a surprisingly low amount of 3 emails. For a nearly guaranteed click, an attacker only needed to send 10 emails. Thus it is that attackers are bound to have someone open the door for them and let them waltz right into your secure environment.
Recon for Increasing Scam Success
Once inside, the hacker starts to observe the regular practices of the business. He does this in order to get a feel for how to best stay under the radar of the company while executing his invoice scam. After, the attacker has a pretty good idea of what kind of details (name, address, services provided, the normal charge for those services, etc.) to include, he will create an official-looking invoice to be planted into regular business operations. The invoice is then sent to the appropriate person within the business organization generally from a spoofed or hacked email of a real service provider or employee.
Often times, because the invoice is so convincing, funds are transferred to the attacker’s offshore bank account before the business becomes wise to the scheme. Even worse, fraudsters have also been known to go as far as creating fake letters, contracts, and more to substantiate their sham invoice. Sometimes attackers are so well disguised, as in the case with Facebook and Google, they simply keep the scam running and continue bilking the company for significant sums of money.
Effects of the Scam
As mentioned, invoice scams can have large price tags for victims. Unfortunately for them, their banks don’t help to make them whole in such cases. The negative financial impact can cause businesses to suffer hardship or even lead them to declare bankruptcy. Such was the case with the denim company, Diesel Jeans. In short, unless better protective measures are taken, businesses and their stakeholders will remain at risk.
Removing the Hacker Incentive for Invoice Scams
Email accounts may or may not continue to be so incredibly vulnerable. It remains to be seen. That said, the prize for an attacker is not in the compromised email itself, but in the ability to insert fake documents into a target’s business operations for the hopeful payday it brings. However, make fake invoices an impossibility by making counterfeit documents instantly identifiable, then the scam can no longer work. When that happens, corporations will be able to save themselves from becoming a victim of invoice scams and from the huge losses that ensue.
Using Blockchain to Protect Against Invoice Scams
CodeNotary is able to remove the ability for counterfeit invoices to flow undetected inside of and between organizations. It brings trust, integrity, and reliability to invoices by notarizing them and uploading their digital fingerprint to the blockchain. This way corporations and stakeholders can always verify an invoice (or any other digital asset) they receive is authentic. The virtual, non-expiring warranty is backed by the immutable nature of blockchain.
How CodeNotary Works
CodeNotary verifies integrity by matching a digital asset’s (e.g., invoice) ‘fingerprint’ to the ‘fingerprint’ that is stored on the blockchain. If the two fingerprints match, trust is verified. Furthermore, no matter where an invoice goes, it’s authenticity is verifiable as the fingerprint is stored forever on the blockchain.
To have a fingerprint verified is as simple as drag and drop. Currently, all a user has to do is drag the file they want to verify onto https://verify.codenotary.io. If the file has been signed by a CodeNotary user or organization, the individual doing the verification check will instantly see a green thumbs up.
Verification is free for anyone, anywhere to use at any time.
For other ways to verify, check out our multiple ways to verify video.
Test out CodeNotary’s simple signing and verification for invoices and see for yourself.