Bob heaved a sigh of relief after he saw the mail. The payment had been processed and he immediately received the payment confirmation from the vendor. It was the end of the month and he wanted no non-compliance on the part of his company toward payments of dues. In fact, Bob had looped in the finance department in the emails to ensure payment was processed immediately by the department post validation of the invoice.
The next day, he receives a call from one of his vendors, IAMVendor, to settle down the dues for this month. Bob tells them that the payment had already been made and in fact, IAMVendor had also sent them the payment confirmation message. In order to avoid any confusion, Bob decides to send them the payment confirmation as well as the invoice sent by them. The next day, Bob receives emails from other vendors too, asking for details as to when the payments will be processed. Bob calls up his finance department and asks them to check with their bank as to why has the payment not been processed. Bob asks the finance department to coordinate with all the vendors to identify what went wrong.
Can you guess what would have gone wrong? If yes, how do you think this would have been pulled off?
Bob’s company and his vendors suffered a loss of around 100,000$ in this fraud that took place. The invoices seemed original and in fact, had been sent by the vendor's email servers, but the bank details were changed. How could have this scam been pulled off? Well, read on to find out.
Well, hackers sent a phishing email to the vendors of Bob’s company. Once all of these vendors as well as Bob had clicked on such malicious links, it was easy for them to enter their mailing servers. When you do your homework, you get rewarded and that’s exactly how these hackers pulled this off. They studied the mail communication between the parties over months and helped understand who in the organization wrote in what manner.
Over time, they waited for the right opportunity to strike. One of the vendors had dropped an email that there would be a change in the banking details. The hacker group replicated this email and sent it as an FYI message on behalf of all the vendors to Bob’s company. Since they knew how to write such a message with respect to each vendor, this change went undetected. When the invoices were sent for the current month, they had just one minor change. The bank accounts were different. The payment was made and the payment was withdrawn, but, by a different party this time. This is known as the Vendor Email Compromise (VEC) scam which has affected some companies globally.
Hackers today are patient in their approach. They don’t attack immediately just for a few dollars. They wait patiently for the right moment to cash out. Phishing is one of the most effective attacks today. What makes it even more effective is the element of error which is always high as humans come into the picture. As more and more people hop on to the digital bandwagon, it becomes imperative for us to make them aware of cyber hygiene practices.
This awareness story is based on a real scam that has happened. You can read about it here.
Comments ()