Another fishing nightmare affecting a small B2B supplier / customer relationship. My neighbor is a sales rep for a food distributor supplying restaurants and grocers. One of his customers is upset with him because they claim to have made proper payment to his firm for an invoice for $320,000. However, my neighbor’s firm never received payment. In assessing a string of emails that catalyzed the transaction, it's been determined that the customer was phished and then paid a false invoice sent from a bogus domain. The money was wired to the attacker’s account, trust has been lost, and no one’s happy but the bad actor.
Supplier/partner phishing attacks are common, because it's a trusted relationship. Most common are when the supplier gets phished, and the attacker sends official-looking invoices from the supplier’s account.
This time, the official-looking invoice instead came from a look alike domain that the attacker had set up to catch the customer off guard. Prior to them sending the legitimate looking invoice, the attacker had phished and viewed the customer’s email account. They must have been thrilled to see invoices received from this supplier in the past. They then created a new domain and email alias which nearly matched the supplier’s legitimate domain, but with a slight typographical difference. This character swapping technique, called typosquatting, is quite popular. The most common approach is to simply swap characters. Instead of the normal supplier's email domain of acme.com, the attacker sets up a domain and sends an email from amce.com. Busy accounting employees may not notice that difference, especially if the body and invoice in the email are near carbon copies of last month's request to pay.
Trusted phishing attacks are hard to detect, because attackers are patient enough to find and wait for opportunities to leverage past messages and relationships. Users should be educated on typosquatting, which is the same trick attackers use when setting up malicious websites (i.e. googl.com) in hopes that someone fat fingers their way into a malware or keylogger trap. Of course, in addition, users always should use the phone first, before paying any invoices.
There’s no more critical time to step up technical and organizational changes to limit the risk of email compromise from phishing. Enabling’s engineers have solutions to limit phishing attacks, both in our Phish Hunter solution and other Office 365 techniques. Our organizational change team has content and programs that can help users do their share to avoid such nasty tricks. Contact firstname.lastname@example.org for a full Guide against Phishing and for a plan to remediate and / or proactively keep phishing at bay.