This form of fraud entails the fraudster inducing a finance officer in a company or, as in our case, a public authority, to transfer money usually to a bank account abroad, through false email correspondence. Internationally, the scope of these frauds is astronomical and they have been a major problem in Europe and in the US for a number of years, with a spike in 2015. The latest figures from the US estimate that these frauds have generated USD 3.1 billion globally for criminals over the past 3 years. Only a few Swedish companies have been targeted in the past, but this type of fraud has really taken off over the past year. According to the police’s national fraud centre, this form of crime will continue to increase and very probably change its guise over time. The whole set-up, including what is known as social engineering, will increase in all areas. One basic reason is all the open information which is available to all and people’s trust in the internet and social media. But above all, inadequate procedures.
How it works
Nowadays, basic phishing fraud starts with the fraudster mapping the company, via ‟social engineering”. The fraudsters identify the head of the organisation and when that person will be on holiday or on a business trip, they identify the people responsible for payments and how the email system and contact channels are structured. Then, at a suitable time, the fraudster sends a brief email to the selected victim, requesting that person to make an important and urgent international transfer of money. The email appears to originate from the head of the organisation, with a correct or similar email address. The sums requested are usually expressed in Euros, pounds sterling or dollars, and usually vary between SEK 100 000 and 600 000. Sometimes the recipient bank account is also Swedish, but in that case the money is usually transferred abroad immediately. In some cases, an invoice is attached to the email, with a demand for immediate payment.
Usually, the amount invoiced is EUR 9700 and the invoice follows a standardised template in which a few details and the bank account have been changed. More advanced forms of phishing can generate very high amounts, up to hundreds of thousands of Swedish crowns. In these cases, the fraudster maps the company and its collaboration partners, bank contacts, etc. in greater depth. It is likely that computer hacking has preceded the fraud since the fraudster has good knowledge of the organisation’s business relationships. But here, too, the basis of the actual payments is that the CEO apparently wants large payments to be made. Often, these are to be carried out immediately and confidentially, or it is claimed that a lawyer will get in touch and communicate when the transfer of funds is to be made and to which accounts. Contacts via telephone can also take place in order to cause stress and accelerate the transfers. In some cases, the fraudster is informed of legitimate payments which are forthcoming, but for which the putative CEO provides new recipient accounts.
Currently, it is very common for the fraudster to impersonate the head of the organisation. But in some cases, the fraudster purports to be a collaboration partner and builds up a conversation with the employee, finally requesting the transfers to a different account. In some reported cases, the impersonator claims to have lost their bank card, money, passport and wallet at an airport and needs money to be transferred rapidly, insisting that this must happen right away. The more stress the fraudster manages to generate, the greater the chance of pulling off the fraud. In another development, the fraudsters don’t attack us directly, but instead plant malware in the system of an international partner of the University. The fraudster then sends mail in that organisation’s name with information stating that the account details for future transactions are to be changed.
How to protect our organisation from attacks
We must increase awareness about this type of fraud, how it can affect any organisation and company and how it is becoming more common. Then it is crucial to follow set procedures for payments and checking measures. In particular, when requests arrive via email to make unexpected payments promptly to unknown accounts, or requests for unexpected account changes.
How to see whether something is wrong
Pay attention to the sender’s email address. The fraudster uses different methods to make the payment request appear to originate with the head of division, vice-chancellor, professor or simply the person at the top of the staff directory on the website. Currently, there are three main types of emails.
- ‟Real sender” / known as ‟Spoofed email address”. The name and sender address appear to be completely correct. If, however, you click reply to sender, the fraudster’s email address with appear instead. E.g. From: Arne Andersson (arne.andersson[at]organisation.lu.se) Reply to: Arne Andersson (chiefonline[at]presendmail.ml)
- Wrongly spelled organisational name. The fraudster has created a domain name which is deceptively similar to lu.se. For example, an ending has been added, or a letter in the name has been changed or removed. e.g.: arne.andersson[at]verksamhet.lu.se becomes @vdverksamhet.lu.se, @verskamhet.lu.se.se, @verrksamhet.lu.se, @veksamhet.lu.se.se…
- The name and organisation are spelled correctly, but there is a different top domain. For example arne.andersson[at]verksamhet.lu.se becomes arne.andersson[at]verksamhet.lu.org
- In some cases, an equivalent request has also been sent as an SMS from a mobile telephone, with the manager’s name but from a different number.
What can we do to protect ourselves?
- Follow the procedures that require you to contact the decision-maker for an additional verification, for payments above a certain amount, e.g. that you are to call back or email another address to get the payment approved by the person apparently ordering it.
- Follow procedures to check changes to supplier details – and when doing so, do not email back to the same person who sent you the new information. Sometimes, the recipient answers as though they are the right person, but from the language, it appears that the questions and answers have been run through Google translate. Pay attention to language!
- Be extra vigilant about unexpected emails or emails requesting changes to standard payment details and suchlike.
- Ensure that all[NT1] [LN2] those who are able and authorised to make payments are aware of how to identify spoofed or falsified emails as above, and that checks are equally strict when the email originates from a mobile phone sender or as an SMS.
If the University is defrauded
If we are affected by a phishing attack, it is important to act fast. The first measure is to contact LU Finance and the bank without delay, to stop the payment if possible. Some international payments outside Europe can take up to two or three days to process, which sometimes enables the fraud to be stopped. Contact the Chief Security Officer who will assist with reporting the fraud to the police.
Source: Polisens nationella bedrägericenter, SSF and Lund University
Invoice Management and Payments Office
+46 46 222 46 00
Telephone hours: Monday–Friday 9:00–12:00, 13:00–15:00 (press 1, then 1)
lev [at] eken [dot] lu [dot] se
Contact - Chief Security Officer
Chief security officer
+46 46 222 32 46
hakan [dot] jonsson [at] bygg [dot] lu [dot] se
+46 46 222 32 35
ann-charlotte [dot] dahlberg [at] bygg [dot] lu [dot] se