Case Study: Commercial Proposal and invoicing scam

Recently, a friend told me of a very puzzling scam that caused a significant financial loss to a contractor he knew in the construction industry. The result was that a payment was made to an attacker in what seemed like a legitimate, and expected transaction. It wasn’t until the real supplier asked where the payment was that the contractor learned of a problem.

Getting an update to a pricing quotation, with new payment instructions

The scam seems to have happened as a result of a pricing negotiation that occurred via email between a general contractor and a roofing supplier. The contractor had sent specifications for a roofing job to the supplier, and received a quote by email, with instructions for payment to an account. This was all legitimate.

The next day, the contractor received another email, apparently from the roofing supplier, indicating that they were undergoing an audit, and the account he had been told to send the payment to had been frozen temporarily. So, new payment instructions were provided to the contractor, with new account information. The payment was made, and the contractor thought he had completed the transaction with the roofing supplier.

This second email with the updated pricing quotation and payment information was actually an attacker who somehow knew of the pending payment, and was able to intervene with new instructions that seemed plausible.

Phishing or not, social engineering by email is a big problem

While security experts may actually call this a “social engineering”, “pretexting” or “business email compromise” attack — carried out over email — the result is still serious damage to the victim’s business.

There are many variations on email pretexting attacks aimed at convincing a recipient that the email is from somebody they trust. Whether it is an emotional plea or an expected request for money, any business correspondence can leave an opportunity for deception by an attacker, and a financial loss for the victim. 

Security Tip: Any unexpected changes, especially involving exchange of money (even as part of an established chain of business correspondence) should be reviewed carefully, and confirmed with the other party.

Any business can benefit from having an ongoing “motivated learning” program for security awareness 

There are almost an unlimited number of ways that attackers can try to scam people who don’t think they are a target. The only way to avoid some of these deceptive practices is to have ongoing staff training.

Unfortunately, many awareness training programs are disliked by employees. And if they don’t believe the program is worthwhile, they won’t engage, especially in an ongoing manner. So, they won’t change their behavior enough to avoid being tricked by the next attack. This leaves the business vulnerable to significant losses, which could actually be avoided.

Click Armor uses “motivated learning” (or what some might call gamified learning – but really, it’s much more serious than “gaming”) to engage employees, and provide simulated risk scenarios that can help employees learn how to defend against all types of phishing or social engineering attacks. We use proven psychological motivators to engage employees to learn, practice and remember risk scenarios and how to handle them.

For more information about how the Click Armor motivated learning program works, please contact us.