Introduction

Fraudsters and Cyber attackers are targeting firms in their attempts to steal client money and data. Millions of pounds of client money have already been stolen through cyber-attacks and fraudulent scams. This guide gives some examples of how the attackers carry out these scams and how they may find a route to stealing clients’ money.

 Do not think it cannot possibly happen to you!!! It can and there have been attempts in the past

There are three ways in which we can unknowingly work for the attackers

1. Acting as their facilitator by clicking on corrupt links or attachments in emails and on the website, which can run the attackers malicious code for them
2. Acting as middlemen by handing over secure credentials or details so the attacker can use them
3. Working directly for the attackers by transferring money to them

Attacks differ in scale & volume, but they all share one common theme; they use social engineering to deliver the big rewards. A cyber-attack, scam or breach can have a damaging effect on a firm, in the worst scenario, it can lead to reputational, financial, regulatory and operational risk and damage

In most instances these attacks are on individuals using gmail, yahoo or any free email account or in the case of a business they may not have sufficient cyber security in place

So, let’s have a look at some examples –

Scenario 1 SPEAR PHISHING

The attacker infiltrates the computer network and poses as a client, who requests the return of a deposit on an order. This is done by an email which appears to be from the client or business you know. But it isn’t; it is a fraudulent attempt by an attacker, who has specifically targeted your client or a business to steal money or obtain confidential information

Let’s say it is a particularly busy time at ABC . The run-up to the summer holidays is fast approaching and you are trying to complete transactions before the holidays. Peter is a salesman and has spent a lot of time dealing with a complex and time-consuming order. ABC is holding the deposit pending delivery

While Peter is on holiday, his secretary receives an email from the client to say the they are no longer proceeding and asking for his deposit monies back. The client supplies his bank details on the email and after speaking to the

person covering Peter’s work, the secretary arranges for the funds to be transferred to the client

A week later, Peter has returned from holiday, he receives a call from the client about how near they are to completing their order. Peter tells the client the deposit has been returned after receiving his instructions. The client is unaware of the request & has not received any funds

The Attackers View  

The attacker has followed Peter, having found out he is a Salesman, on social

media and attached himself by expressing an interest in

Peter’s hobby in car racing. He starts to email Peter who thinks the emails are coming from a well-known magazine. These contain links that are perfectly innocent. Peter has started posting about going on holiday, so the attacker sends him an email with a link to a VIP day that happens to be in Italy where he is going. The link is a Word document and he has to enable editing to fill it in. This downloads a macro allowing the attacker to look at Peter’s PC and steal the clients email. 

Scenario 2 WHALING

The attacker uses peer pressure by posting as a managing partner who is away on holiday and who requests an emergency payment from the accounts team. Whaling is ‘Reeling in a big fish’, a whaling attack is also known as a C-Level fraud and business email compromise. It involves targeting partners or managers, with forged emails asking for money or information

DDD Law is a practice with 20 partners. Mark is a managing partner and on Linkedin and Twitter. He attends a seminar as a speaker which is covered by the press and on social media and is on attracting university graduates 

A week later Mark receives a request to connect with a recruitment consultant called Jane on LinkedIn. Although he does not know her, he accepts the request. He then goes on holiday to France to take part in a bike race and put’s this on social media.

DDD Law’s cashier Sue receives an email from Mark at 9am on Monday telling her there has been a family emergency and asking her to send £10,000 immediately to an account given in the mail. He says he will put the money back on his return and will call her when he has received it

Sue is concerned for Mark’s family and, because of the urgency, she transfers the payment. She mentions what has happened to another partner who is passing, the partner is worried and calls Mark who did not send the email and is happily cycling.The funds have been stolen and the finance partner contacts the bank to report the incident

The Attackers View  

The attacker read about DDD Law in the press, looks at their website and gathers information. They notice that the firm has someone responsible for their graduate scheme and identifies Mark. The attacker then builds a profile on Mark & DDD Law. Using this information, they create a Linkedin profile with fictitious pictures and history. they then starts to build a relationship with Mark using the information gathered on him

Prior to this and using cloned identity information, the attacker has set up a bank account in that individuals name. This is used for the scam 

The attacker starts to make his move by purchasing a domain name dddslaw.co.uk . The real domain is dddlaw.co.uk (note the additional s) . He calls reception at DDD Law and pretend to be from another law firm. He asks for the Cashiers email and then sends the fraudulent email from dddslaw.co.uk pretending to be Mark and requesting the money

Scenario 3 REDIRECTION ATTACK

 

The attacker exploits a software weakness on the firm’s website and redirects potential clients to the attacker’s site, requesting payment on account to a fraudulent bank account

Mr Jones sends a contact via the website for Collins Stationary for an urgent order to be sent out. He receives an email that appears to be from Collins Stationary asking for a £50.00 upfront payment and giving the bank details. He is told in the email that Sally

Baldwin, a Sales Manager will be in touch as soon as the monies are received

Mr Jones sends the monies and 2 days later calls Collins Stationary only to be told that they have not received anything. Sally Baldwin does work for the firm but has been given no contact details

The attacker has exploited the out-of-date website platform and redirected potential clients to itself by using a patch attaching itself to websites with obsolete software.

This allows him to request and steal the potential client’s money.

Scenario 4 VISHING ‘FRIDAY AFTERNOON’ FRAUD

Vishing is a telephone scam to trick a target into surrendering private information that will be used for stealing identity or money. The attacker usually pretends to be a legitimate business; in this case, the fraudster pretended to be from the bank’s fraud security team

James is a cashier in Dropdown Ltd, which has 6 partners. On a busy Friday afternoon, the firm’s switchboard passes him a call from the fraud team at RBS.. James takes the call from Linda. Security checks are carried out and Linda tells James two fraudulent payments have been set up on the client account

James is advised to call his relationship manager at RBS and not to log onto the system as his account has been compromised. 

James ends the call with Linda and calls Daniel, his relationship manager. Daniel’s secretary answers and tells James that Daniel is in a meeting, but he has authorised the fraud team to walk him through the process of cancelling the payments. He is transferred back to Linda

To cancel the fraudulent payments Linda asks James to enter a passcode in his RBS reader and then type the result on the phone keypad. James provides the information in full. Linda confirms the payments are cancelled but James is not to log in until he gets an email from RBS with their instructions on resetting his login details

After waiting for more than an hour James calls Daniel again, speaks to him directly only to find £80,000 in total has been taken from the client account in two payments The attacker has identified Dropdown Ltd as a potential target. Pretending to call from another firm of solicitors they find out who deals with payments. The attacker may have previous experience of working within the banking industry and is used to the terminology and time pressures faced by law firms

The attacker first sends a phishing email to James in accounts, he clicks on a link which releases a keylogger program onto his computer. The keylogger program covertly monitors and records all the keystrokes on James keyboard. This enables the attacker to validate his RBS Bankline site and password. The attacker then logs into the bank site and sets up the fraudulent payments. In this instance the attacker has an accomplice ‘Daniels secretary’ . They call to gain the final piece of the jigsaw – the card reader details needed to release the monies

The attacker also uses telephone hijacking software to manipulate caller ID’s and prevent call recipients from fully hanging up. When James attempts to call Daniel on the first occasion, the line is in fact still connected to the attacker

Scenario 5 INVOICE FRAUD

Supply-chain fraud can take many different forms. One of the most common is where attackers disguise themselves as your known suppliers and deceive you into redirecting regular payments to their accounts

Abby works as a cashier. She is responsible for the purchase ledger and credit control in the accounts team of JKL Builders. The firm deals with high end building suppliers

Abby receives an email with an attachment from Best Builder Supplies of 23 Cavendish Inn . The email states that the company have changed their bank details and asks that, with immediate effect, all payments are made to the new account, whose details are attached to the email. They also request immediate payment of invoice CIC28467B for £12,000 before any further opinion can be provided.

Abby knows Best Builder Supplies are an important supplier to the firm, she updates the details and pays the invoice. A week later, Abby receives another request for payment and the scam is discovered

The attacker carried out an initial spear-phishing attack and was able to access and monitor the email accounts at Best Builders. The attacker identified Abby as the person who paid invoices at JKL Builders. The attacker then clone’s an invoice with the log, address, VAT number and disclaimers of Best Building Supplies and prepares an email notification of a change of bank details

Scenario 6 RANSOMWARE

Ransomware is malicious software designed to prevent access to files or programs until a sum of money has been paid to the attacker

PQR outsources its IT maintenance and support to a reputable third party /it company. This ensures it has in place a secure and robust IT network with firewall, virus and malware protection. It also takes daily backups to a cloud-hosting company

PQR has been very busy over the last three weeks on a time sensitive corporate deal. On Thursday the senior partner complains to the office manager that his computer is very slow. The office manager wants to contact their IT company, but the senior partner demands his computer access is not interrupted. The office manager does not contact the IT company immediately

Throughout Thursday the senior partner continues to get issues with his computer and now cannot access his Dropbox files and his computer displays a strange message. The office manager contacts the IT company, but the senior manager still denies access to his computer as he must prepare the corporate documentation ready for Friday

When the partner reaches the office on Friday morning and logs into his computer, he is greeted with the message 

on his desktop wallpaper

Other staff members get problems with accessing the document management system and all the firms network drives are inaccessible. The firm’s third-party IT company cannot access the files

A ransom is being demanded to resolve access to the files

The Attackers View  

The attacker sends out a mass phishing email, containing a .zip file attachment to a database of email addresses. The attacker embeds a malicious JavaScript downloader within the zip file containing a ransomware program known as Lucky

While working late one evening, the senior partner accesses his personal email through his company’s web browser and spots an email with the subject Att: Invoice J23456. The body of the email reads ‘Please see the attached invoices and remit payment according to the terms listed a the bottom of the invoice ‘. The senior partner opens the zip attachment. When the zip is opened the JavaScript downloads and installs Lucky. 

Lucky then identifies the PC’s operating system & language used. It now knows what language to display the ransom message in. Lucky then generates a unique ID for the infected PC and begins encrypting files, only after it has reported the infection to its command & control server – i.e the attacker. The attacker then sends Lucky a public encryption key which allows the process to start. All files on the PC’s local and network drives are then scanned and encrypted. In every folder that Lucky has encrypted is a ransom note, this contains all the information about what happened to the files, together with instructions for payment and decryption. Lucky also changes the Windows wallpaper on the PC and this contains the same instructions as given in ransom notes left in the folders