Fake request for payment – Have I been hacked?

By Luke Smits - Founder & Operations Manager

We have had numerous reports from clients over the last few months of fake requests for payments with sometimes disturbingly accurate details associated.

A typical example would be an email apparently sent from the company owner or CEO to the accounts person requesting immediate payment be made to an account listed below.

This type of example would usually appear to have been sent from the owner/CEO email address complete with the correct email address, will use the accounts persons name and often have other details that would not be uncommon in such a request. Potentially naming a supplier or other known entity.

This is highly sophisticated ploy being successfully used by hackers to obtain money by deception and guess what? YOU are their primary target.

When I say you I mean small to medium businesses. Why? Because you are likely to have less secure systems and password, will be more likely to make payments without things like signed purchase orders, and may not think too hard about a request from your boss to transfer money to a known supplier without more detail. Basically weak processes and procedures that any business, but particularly the smaller ones struggle with.

On first thought it’s hard to understand how a person sitting at a computer on the other side of the world could possibly know your name, your email address, your bosses details, and or the details of your known associates. Well consider this.

At some stage you or a genuine associate may have sent an email to an email account that has been hacked, meaning the content and or attachments can be read and details used against you. The details in this email may contain all they need to get started. In more advanced examples the “hackers” for lack of a better word may do a little more research or grooming to increase their chances of success. They may look at your website, send you a fake product enquiry, make a few phone calls and see what other little bits of information may help them be successful in getting some money out of you. In some cases (luckily none we have been directly associated with) we’ve heard of fake email conversations that have gone on for days or weeks, back and forward clarifying details of a fake order, and all the while having you believe you are dealing with a known customer or supplier. You then process the payment as expected, perhaps the account number may have changed since last time, but you know this person, you trust them so you may not think anything more of it.. Then before you know it you’ve sent payment for $10213.34 to a bank account belonging to a hacker rather than your intended recipient.

What can you do to avoid this.

• Simple things like checking details, and picking up the phone to call your customer/supplier if you have any doubts about the transfer of money. It’s easy to fake an email address, but not so easy to fake a phone number and the person on the other end.
• Make sure you have things like spam filters, and a modern email system as well as STRONG and UNIQUE passwords across all your business systems.
• Encourage fellow businesses and customers you make sure they also have modern email and security platforms as well as a trusted IT partner who can provide expert help and solutions.

Our final thought on this is to not panic if you think you have been hacked. Slow down, pickup the phone call your IT support and talk it through. Generally it’s not you that has been hacked, but someone else. So whilst that is good news for you, it’s still good to be aware and most of all not to conceal or panic if you suspect an attempt has been made as this is just likely to make it worse.