Have you ever thrown tens of millions down the drain? Google and Facebook did. No, we aren’t talking about Google+or Facebook Libra, we’re talking about sending massive checks out into what is essentially thin air. These are big companies, with a lot of smart people working at them, so how could this happen?
Through an elaborate scheme of deception and intrigue.
First, let’s zoom out and think about these companies. They are massive enterprises, with significant streams of cash constantly pouring in and out. At Facebook, a $10 million invoice might just be a slow Tuesday morning in the accounting department. To everyone else, $10 million is a life-changing amount of money.
To a cunning attacker, these $5, $10, $20 million invoices present a huge opportunity: What if you could trick these companies into paying a fake invoice that goes straight into your account. You would only have to do it once, and then you’d be ready to retire in Indonesia (or the non-extradition country of your choice).
A Lithuanian man named Evaldas Rimasaukas is that kind of cunning attacker. He and his team ended up stealing over $100 million in total from both Facebook and Google.
So how did they pull it off?
It started by figuring out that both Facebook and Google do business with a Taiwanese hardware manufacturer named Quanta Computer. The next step was to set up a business in Latvia with the same name, as well as a bunch of bank accounts in various Eastern European countries.
The attackers then used a combination of spoofed emails, fake invoices, fraudulent contracts, forged signatures and counterfeit corporate stamps to trick employees at the victim companies. They made them believe that the Latvian Quanta Computer was the real Quanta Computer, and that both Google and Facebook had outstanding invoices.
Once the elaborate scheme had tricked employees into approving the transfers, the money was wired to the Latvian bank account and then distributed to the other Eastern European accounts in an attempt to hide it.
Evaldas Rimasaukas and his team managed to pull this off multiple times before he was caught and extradited to the US.
A genius invoice fraud scheme
When you boil it down, Rimasaukas’ elaborate scheme was really just a type of invoice fraud. Invoice fraud is simple: It’s any tactic that an attacker uses to trick someone into paying a fraudulent invoice. One approach involves an attacker intercepting a legitimate invoice, and then changing the details so that the money is sent to the attacker’s account, rather than the legitimate recipient. Another common tactic is to create a completely fake invoice, then somehow convince the target company to pay it.
Not every company deals with invoices as large as Facebook and Google, nor is every invoice fraud scheme as elaborate as Rimasaukas’, but every company that pays invoices is at risk of these attacks.
How does invoice fraud work?
Think about how invoices get paid at your company. Invoices are probably emailed in from a supplier or a contractor, and then they get forwarded on to accounting. The precise details will vary from company to company, but many businesses overlook the security of the invoicing process, making it ripe for attackers.
Let’s say you work at BigCorp, and its security surrounding invoicing is poor. Invoices are paid out by William, and all you have to do is forward him an invoice and say, “Hey Will, we need to pay our magic bean supplier, otherwise we won’t have enough magic beans to last winter. Here’s the invoice, thanks.” William then pays the invoice.
Now, let’s say that you are a malicious insider, and you decide you want to abuse this lax system. You could just send him a fraudulent invoice yourself, but you don’t want to get caught.
Instead, you decide to impersonate a project manager, Tracy. You buy a lookalike domain and set up a email@example.com email address. As long as your email doesn’t end up in William’s spam folder, he probably won’t notice the “l” instead of an “i” in “bigcorp”. With your new email address, you send William the following email:
Hey Will, it’s Trace. I’ve attached this invoice for $100,000 for that new managed services contractor. Thanks.
You’ve attached a fraudulent invoice, and the account details are for a foreign account you set up under a fake name. William receives the invoice, pays it out, and before you know it, the money is already in your foreign bank account. You’re now $100 000 richer, all with very little work.
This rough example outlines the basics of how many invoice fraud attacks work. Of course, they can be much more sophisticated, especially when it comes to pulling off bigger hauls.
Often, external attackers will slowly probe a target organization in an attempt to extract information and figure out how the accounting process works. Once they know the details, it makes it much easier to manipulate the accounting department. Alternatively, attackers might monitor an organization’s communications, wait to intercept a legitimate invoice, and then tamper with it to change the account details to their own.
How to prevent invoice fraud
Invoice fraud is a huge risk that can easily fleece your company out of significant sums of money. The most important step for mitigation is to implement processes for verifying invoice legitimacy.
First, employees need to confirm that invoices they receive are from a legitimate email address at the invoicing company. Employee training is an important element here—they need to be drilled so that everyone is checking that the domain is correct and that the invoice originates from the appropriate address.
In addition to training, you will also want to implement email software with good filtering and user alerts whenever suspicious emails are detected. Expecting your users to detect every single fraudulent email themselves is a recipe for disaster, and these types of tools can do a lot to limit attacks.
Even if an employee has determined that an invoice originates from a legitimate email address, that doesn’t necessarily mean that the invoice itself is legitimate. The email account may have been compromised by an attacker who is sending out fake invoices. To protect against this threat, your organization needs to implement a policy for verifying the legitimacy of invoices. The verification process will add extra friction, so your organization may choose to only verify invoices valued over a set amount.
The policy should stipulate that employees must verify invoices by contacting the issuing company over a separate channel, such as by phone. Not only should employees check whether an invoice was issued, but they should also double check that the details are correct. Attackers may have intercepted a legitimate invoice and then changed the account information to their own. Employees should check both the price and the account number to ensure that the invoice hasn’t been tampered with.
Adding a layer of verification makes it much harder for scammers to pull off these attacks. It could save your company millions and a whole lot of embarrassment.