We have recently become aware of a new scheme targeting businesses through some of the partners they trust and are closest to – their vendors and third-party providers. We are seeing evidence of these schemes popping up in the Deep Web – the black markets where criminals often sell the credentials or information they have to offer to other criminals eager to act on that information. In this emerging man in the middle scheme, fraudsters convince businesses that their vendors’ bank account information has changed, thereby funneling legitimate payments into illegitimate accounts.
The first phase of this fraud scheme (planning) is likely conducted via breaches into small businesses, contractors, and/or ERP systems. By accessing these systems, thieves can directly understand who a company is doing business with, and the relationship of that business. At this phase, no money has been taken out, but the criminals now have the information they need to conduct a highly targeted phishing/man in the middle attack, with the payer as a willing participant.
The fraudster then sends a fraudulent email, pretending to be the business partner. So, for example, imagine all your clients getting an email from your accounts receivable department (to their accounts payable team), saying “We have changed bank accounts. Going forward, please route all wire payments to account 1234567 at Bank of America.” Your customers do business with you regularly. They interact with your A/R team all the time. And they want to maintain a good relationship with you, so of course they honor the request.
Now, all of a sudden, payments are being regularly made by your customers – to a false account. The money of course is removed from the fraudulent account immediately, so there is little chance of recovery by either you or your client. And because it’s a business account, it has few of the same protections as a consumer account. So who’s left holding the bag? Your customer has paid their invoices, and considers their debt fulfilled. The bank holds no accountability for a transfer voluntarily made. And yet you have not been paid for goods or services delivered, leaving a rift between customer and vendor.
This same scenario could be applied to a company paying salaries to their employees, or a reseller or distributor, selling goods on behalf of a manufacturer.
All businesses, regardless of the vertical are susceptible to these types of attacks. We recommend that accounts payable departments always use an additional communication method to verify any changes to accounts they are paying into (if they emailed you, call them, and vice versa), and be highly vigilant of suspicious emails that appear slightly off, even if from a normally trusted party. As we have made it increasingly difficult for criminals to enter our organizations through the front door, they will continue to search for open basement windows and other crevices to penetrate our organizations.