Fake PayPal Invoice Scam Targets Minnesota Businesses
Cybercriminals have launched a new scam in which they claim to be from PayPal, and send fraudulent invoices to their targets.
- October is National Cybersecurity Awareness Month
- This new PayPal scam is hard to spot because the fake invoices appear legitimate
- Do you understand how to identify and deter this scam?
Fraudulent PayPal invoices are being sent to unsuspecting users at businesses across the country as a part of this new cyber scam.
Get all the details in our latest tech tip video:
How Does This Scam Work?
The cybercriminal sends the target an invoice that appears to be from PayPal. The way it is formatted and written makes it appear legitimate, detailing an owed dollar amount. The sender requires immediate payment, and unfortunately, a lot of targets send the money without giving it a second thought.
This is a type of Business Email Compromise…
What Is Business Email Compromise?
Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a business in order to execute fraudulent payments.
In order to effectively defend against scams like this, you have to first understand how they are executed.
Are you sure your business is properly defended by this tactic?
On-Site Computers will help you mitigate the threat of Business Email Compromise. Get in touch with our team to discover how.
How Does Business Email Compromise Work?
In layman’s terms, a cybercriminal will write an email pretending to be from a known contact or organization (e.g. PayPal), and request that a payment be processed—instead of sending the funds to a legitimate source, the payment will go to them.
Business Email Compromise can be carried out in a number of ways:
Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel, as do their company websites. This can include their contact information, connections, friends, ongoing business deals and more.
In some cases, cybercriminals may only spoof an email address, and in others, they’ll directly breach the target’s account.
Once a cybercriminal has gained access to a target’s email address, they can begin sending payment requests or simply redirect all invoices to a private folder for their perusal. Whether they’re redirecting incoming or outgoing funds, the end result is still the same—your business loses money.
Alternatively, cybercriminals can simply intercept an important financial document such as an invoice. They can either change the payment details or inform the recipient that the details have changed, substituting their own bank account for the business.
Is Business Email Compromise A Serious Threat?
Let’s look at the facts—the average wire fraud attack costs $567,000, and the highest recorded was $6 million. The FBI estimates that BEC attacks cost a total of $1.87 billion just last year.
If you’re skeptical of how this type of scam could cause so much damage, consider the average amount you’re sending or receiving via wire transfer or invoice payments. One small business lost $15,482 in an instant when a cybercriminal intercepted a PDF invoice and redirected the funds to their account.
If just one fraudulent or misplaced email could cost you tens of thousands of dollars, it quickly adds up. That’s why you need to understand how Business Email Compromise works and how to defend against it.
Who Are Common Targets For Business Email Compromise?
While the CEO is often a target, cybercriminals can do plenty of damage by going after other members of an organization. There are a number of key, high-value targets that make it worth the cybercriminal’s time to go after.
Whether it’s their authority or their access to confidential information, these groups are all at risk for Business Email Compromise:
Financial Staff Members
While the finance department is especially vulnerable in organizations that regularly engage in large wire transfers, smaller businesses’ payroll data is also of high value to cybercriminals.
Similar to finance, HR is a key target for the data they store on employees, including birthdates, medical data and more, all of which are of high value to cybercriminals.
You don’t have to be the CEO to be a high-level target. CFOs have access to financial data, CTOs have access to login info, and everyone at this level has the authority to execute wire transfers and make large purchases.
The IT manager and IT personnel with authority over access controls, password management, and email accounts are also high-value targets.
How Can You Stop Business Email Compromise?
Know Your Targets
By noting the above-listed key targets, you can examine the role they play in cybersecurity, and how their access and authority is being protected:
- Review social/public profiles for job duties/descriptions, hierarchical information, out-of-office detail, or any other sensitive corporate data.
- Identify any publicly available email addresses and lists of connections.
Defend Your Organization
Implementing the right range of cyber security solutions can help to protect common points of penetration for cybercriminals:
- Email filtering
- Multi-factor authentication
- Automated password and user ID policy enforcement
- Comprehensive access and password management
- Whitelist or blacklist external traffic
- Patch/update all IT and security systems
- Manage access and permission levels for all employees
- Review existing technical controls and take action to plug any gaps
Implement A Robust Security Policy
You need to dictate how members of the organization, top to bottom, contribute to your cyber security.
Everyone with access to your IT environment should follow these best practices:
- Don’t open attachments or click on links from an unknown source.
- Don’t use USB drives on office computers.
- Follow a Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
- Participate in mandatory security training.
- Learn to recognize phishing emails.
Plan Ahead To Mitigate Cyber-Risk
You need to develop a comprehensive cyber-incident response plan for your organization.
Make sure to test it regularly, and update it to address any shortfalls. Make sure to implement your plan properly—it won’t work if your staff doesn’t know about it, and can’t participate in it:
- Executive leadership must be well informed about the current level of risk and its potential business impact.
- Management must know the volume of cyber incidents detected each week and of what type.
- Understand what information you need to protect. Identify the corporate “crown jewels,” how to protect them and who has access.
- A policy should be established as to thresholds and types of incidents that require reporting to management.
- Best practices and industry standards should be gathered up and used to review the existing cyber security program.
- Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.
Test Against Phishing
Share these tips with your employees to ensure they know how to spot a phishing attempt:
- Genetic content: Cybercriminals will send a large batch of emails. Look for examples like “Dear valued customer.”
- “From” Email Address: The first part of the email address may be legitimate, but the last part might be off by a letter or may include a number in the usual domain.
- Urgency: “You’ve won! Click here to redeem a prize,” or “We have your browser history pay now or we are telling your boss.”
- Check Links: Mouse over the link and see if the link’s destination matches where the email implies you will be taken.
- Misspellings, Incorrect Grammar, & Odd Phrasing: This might be a deliberate attempt to try and bypass spam filters.
- Don’t Click Attachments: Virus-containing attachments might have an intriguing message encouraging you to open them such as “Here is the schedule I promised.”
On-Site Computers Will Train Your Team To Spot BEC Scams
Even the most effective digital security measures can be negated by simple human error.
So much of cybersecurity is dependent on the user, and as such it’s vital that you properly educate your employees in safe conduct. The more your workforce knows about the security measures you have in place, the more confidently they can use the technology in a secure manner.
We’ll help you show your staff how to use business technology in a way that doesn’t put your business at risk.
We offer a comprehensive employee Cyber Awareness Training program that combines regular online training, simulated phishing attacks, and dark web monitoring. The three components of this curriculum include:
- Phishing Training and Testing: Ensure your users know how to identify a dangerous email.
- Security Awareness Training: Give your users the knowledge they need to contribute to organization-wide cybersecurity.
- Policies and Procedures: Implement proven best practices for maintaining robust cybersecurity across your staff.
With our help, your staff will contribute to your cybersecurity, not compromise it.
Whether You’re An Easy Target Or Not Is Up To You
The bottom line is that everyone in your organization, top to bottom, is a potential target. Make sure everyone is following cyber security best practices and is protected.
If you need expert assistance defending against cybercriminals and training your staff to recognize social engineering scams, get in touch with On-Site Computers.
Mike Bowe | Published on November 10, 2022