Man in the middle attacks: unravelling million-dollar invoice frauds
This is INTHEBLACK, a leadership, strategy and business podcast, brought to you by CPA Australia. Welcome to INTHEBLACK. In this special ‘Crime by Numbers’ episode, we uncover the most common tricks scammers use to defraud businesses. Payment misdirection, social engineering, and invoice fraud. Are you at risk? Here is Jackie Blondell and ‘Crime by Numbers’.
In 2021, Australian businesses lost 227 million dollars to so called ‘Man in the Middle’ schemes – also known as payment redirection scams or simply put, invoice fraud. This number, according to the Australian Consumer and Competition Commission, the ACCC, is a 77 per cent increase on the year before. Man in the Middle offenders can be pretty audacious. Many target big businesses, global charities, even governments. In early 2020, the Puerto Rican Government’s public pension fund lost 2.6 million US dollars when a finance worker followed through on a fraudulent email asking for funds to be transferred from one bank account to another. The year before, in Japan, the Toyota Boshoku Corporation a major parts supplier to Toyota, lost close to 37 million US dollars to a payment redirection scam that involved hacking a business partner’s email. Alastair MacGibbon has spent 20 years in the cyber security space, including as a former special advisor to the Prime Minister on cyber security. He describes payment redirection fraud as devastating, highly profitable, growing and evolving.
Well, we know that criminals spend a lot of effort these days to be inside systems, knowing that a legitimate service has been offered. They're not just randomly throwing out invoices with their bank details on it as the beneficiary. They're sometimes sitting inside systems real time intercepting and changing on the fly those invoices, which shows a degree of sophistication.
Former ACCC deputy chair Delia Rickard spent more than a decade fighting scammers. She says the consumer watchdog received almost 20,000 reports of payment redirection scams in 2022 alone. She explains how such a scam might work.
Basically, let’s say you’re a business person, you’ve ordered widgets from somewhere in Asia. You’ve been doing business with them for a while. You are expecting an order, you’re expecting an invoice, the invoice comes, it looks exactly like you expected for the right amount, and it just says at the bottom, ‘We’ve changed our banking details, please pay here.’ So, somebody automatically just pays there. In fact, what’s happened is the scammer has hacked into the email system of the company that supplies the widgets and has changed the payment details. So, when the accounts person thinks they’re just doing the right thing and paying, in fact they’re sending money straight to the scammers. They will then still owe the money to the widget company. And it is very, very difficult to detect. And the truly worrying thing is we've started to see it happening in the real estate sector too, sometimes with whole final payments for purchase of a house being sent off to the scammer, rather than to the property owner. So, it is a really big concern.
Jaqueline Blondell:Alastair MacGibbon:
That is what almost happened to Barbara Corcoran, founder of US real estate brokerage firm Corcoran Group and a judge on reality TV show “Shark Tank”. She was nearly scammed out of 400 thousand US dollars, when scammers emailed her bookkeeper pretending to be her assistant. The email message included an invoice, supposedly authorised by her assistant, to pay for an investment property in Europe that needed renovations. The scammers had created a fake email address for her assistant by leaving out one letter of her name – and how closely do people really read email addresses? Fortunately, Corcoran’s bank froze the money before the scammers could get their hands on it. Offenders are also targeting the agricultural industry. In fact, the first time Alastair McGibbon heard about these kinds of payment redirection scams was when he got a call from his uncle, a Queensland beef farmer in his eighties, who’d had some truckloads of crushed granite delivered to his property.
I don't know for what purpose, I'm no crushed granite expert. Only that it cost quite an amount of money. He'd received an email some days after this granite had been delivered and, like any good person, paid that invoice straight away. And, of course, what happened is he didn't know that he'd paid a criminal until such time as he got a phone call from the crushed Granite Trucking Company to say that he hadn't paid the invoice. And he did, of course. Then he told them which account he paid into, and they said that wasn't theirs. The monies were paid into a Commonwealth Bank account in the town of Bundaberg in Queensland. And the funds were withdrawn the same hour that they were deposited by what we would call in my game, a money mule, someone who'd been recruited probably online for a job. And they had taken the funds out. And, as a consequence, there had to be another payment made to the actual company that had delivered the goods.
Money mules often have no idea who they are actually working for. They are recruited online to receive a large sum into their account, they may not know how it got there or who sent it. They are then supposed to transfer the money to an account where the actual fraudsters can access it.
Money mules are people that assist with that process. They're ‘throwaway’ people for the criminal, so it doesn't really matter if they get arrested by local police. It's unlikely, of course, that they will be arrested by local police, but it does happen occasionally. And when they are arrested, they don't know anything about the actual criminal enterprise. Their, in quotes, “job”, has been often given to them on the internet. I say to people this, if you get a job offer to pay you a lot of money where you haven't actually applied for it, had an interview and need no skills for it, then it's likely you are working for scammers. And unfortunately, there are desperate people out there who want the money. The sting in the tail, there are two stings in the tail, one is, you can end up getting arrested, and the second is, often the criminals don't properly pay you anyway. So, they'll rip you off at some later stage, and they've also made you a criminal. So, it's just an unhealthy place to be, but we know it's also a growth area, unfortunately, on the internet.”
It’s quite alarming, even a bit creepy, to think of hackers hiding out in your IT system, waiting for their moment to con you – but that is often how they operate. Delia Rickard recalls one particular case reported to the A Triple C. She’s changed names for privacy reasons.
John was the accounts manager for a local manufacturing business. It was late on a Friday afternoon, so he is probably a bit tired. He received an email, which appeared to come from one of his regular suppliers, Mr Liu, from the Zhang-Fei Industries. They made ball bearings, and he was a regular customer. Now, Mr Liu's email explained that, due to change in their internal finance system, he needed John to update their banking details, including a new account number. Now John took the email as face value. He was expecting the invoice, and changed the banking information in his company's database. And, a few days later, John made the scheduled payment to the company for 17 thousand dollars. Two weeks later though, the ball bearings hadn't arrived. So, he called Mr Liu, and Mr Liu said he hadn't received the payment for the last order and had consequently cancelled the shipment. John told Mr Liu that he had processed the payment personally to make sure it was paid according to the new arrangements. After some investigation, it became clear that Mr Liu had not sent any request to update his company's banking details, and John had fallen victim to a scam. Now, in the weeks to come, with the initial loss of 17 thousand, the delay in supply flowing from the missed orders and the broken contractual obligations, it costs John's company around about 30 thousand dollars.
When it comes to targeting victims, Man in the Middle scammers are looking to exploit vulnerabilities. The most likely victims are those with fewer defences in place. And that, unfortunately, is often small businesses.
When you think about the most likely victims, they're the ones who have less process around them, and they're the ones who are probably busy multitasking, doing lots of other things, where paying invoices or sending out invoices is only one part of their, their job description. The unfortunate thing, of course, is that's the bulk of our economy. And so the likely victims of this fraud fall into hundreds of thousands, potentially millions, of small businesses who are frankly just going about trying to make their living and provide services in exchange for payments.
Fraudsters that target small business rely on volume. Others are willing to make a bigger investment to lure a “big fish” and get a major payoff. Alastair MacGibbon says fraudsters are increasingly using sophisticated technology, like deep fakes – artificial intelligence used to create convincing images, audio and video hoaxes.
You may have heard of these frauds that are very similar in nature, where there'll be an email or sometimes even a voicemail left by the CEO who is called out of town on urgent business, but he’s instructing the CFO not to tell anyone else about a particular opportunity or transaction, but to pay funds into a certain account. Now I can see how that would be effective, primarily because now these deep fakes or the ability to create videos even, and definitely audio, of any individual. Just gives that enough authenticity, if combined with a sense of urgency. You know, in hindsight, these things always look obvious, but if you create a situation where, you know, the clock’s ticking, the CFO’s under a direct instruction, you kind of know that this CEO or a leader behaves that way sometimes themselves anyway, you know, they're prone to be, you know, fast moving and not always inform you of things. And you can actually see how these crimes can be carried out against a large organisation.
Delia Rickard believes that banks have a major role to play in stopping invoice fraudsters in their tracks.
At the moment, most people pay, people use the ‘pay someone’ function and, as you'll know, if you've ever used it, when you go to pay someone, you put in their name, then you put in the bank's BSB, then you fill in the account number. Now, in Australia on the whole, the banks will only check the BSB and account number. They don’t look, they don’t match the name. And so, the name could be, you know, anything, and that won't ring any alarm bells. In the UK and in the Netherlands, they have changed that, and they've seen significant reductions in these payment redirection scams. And this is something we've been advocating for the banks to do and will continue to do so. The banks do have a new system, Payment ID, which will help with this. However, most people aren't on it, and we know, in terms of take up, these things take a long time. And whilst it may eventually be a solution, it's not a solution at the moment for most people. So, we really would like to see this reform put in place.
Alastair MacGibbon says internet service providers and telcos also have a role to help protect small businesses from payment redirection scammers.
Because frankly, once a criminal has reached the front door of a business, the virtual front door of the business, the likelihood of you being able to stop them carrying out a crime is actually pretty low. And that's the problem we face in this society. So, it needs to be ISPs and telcos. It needs to be professional organisations and others that have this sort of scale that can provide assistance. Because, I'm one of the people that runs a really large cybersecurity professional services and engineering firm, and, you know, we've got 1200 people, but the likelihood of us being able to price ourselves to be able to help a small business is almost impossible, just because the cost of us doing business. So, we can't help those small businesses, and no one can, no one that's ever set up a cybersecurity business saying, I'm going to help SMEs ever succeeds, because it's just an expensive business to be in. So, it's got to be done away from professional services into the very pipe themselves that delivers these,these ones and zeroes, these electronic signals to small businesses.
Of course, businesses and individuals also play a critical role in protecting themselves from fraud. Because, unfortunately, when it comes to allowing criminals access to an organisation’s records and systems, it is most often the employees themselves who open the door.
Sounds bad to say people are the weakest link – but the reality is they are. And I say that because, when you think about an offender and whether that offender is a criminal or a nation state threat actor, you target the end user to do something for you. You either want them to open an email and download a piece of software that you've, that's attached. You want them to hand over their username and password. Ultimately, it's either an action or an inaction of an end user that is necessary for them to succeed. And that's tough, because, you know, I've spent my whole career proving humans are fallible, and I'm right the vast bulk of the time. And that's not because they're bad people – it's just because we are fallible. So, what we have to do when it comes to cyber security is design out the harm associated with humans failing.
And how do we design out human fallibility?
At the moment, I'm almost guaranteeing you the vast bulk of laptops and PCs out there inside small businesses have what we call ‘administrative privileges’. They can put whatever software they want on those computers just by clicking a button, downloading, et cetera. If you just took that away, then you reduce the ability for a criminal to install using your, if they steal your identity, your privileges to do that to a computer, you can reduce the likelihood of a successful criminal attack. You can segment that computer from the rest of the computers in your business, just through some simple software and structure. You can set your computers to patch themselves and all the software and applications on that computer whenever the manufacturer of either that hardware or software releases a patch, which is usually to either fix a fault, add features or remove a security risk. So these are things you can do to design the human out, and that's what we've got to be better at doing as a society. And we just haven't done it yet. And it, it sometimes surprises me, you know, in the decades I've been in this space, that we've just not changed the way we use technology sufficiently to take some of those human failings and the risks associated out of the loop.
One of the most common tool used by cyber criminals, phishing emails, have been in use in Australia since the early 2000s. It’s those deceptive messages sent by fraudsters pretending to be a trusted source, to trick the recipient into providing details like passwords or bank account details. More than two decades later, they are still the number one way in which cyber criminals con individuals and businesses.
We should have changed the way we do business by adding things like multifactor authentication. It was harder 20 years ago, much harder. Now there's an awful lot of really smart technologies you can use so that you have more than a username and a password. And yet most organisations still today haven't implemented that, that type of technology, or they haven't implemented it universally enough for it to take effect.
But why is it taking so long to make simple changes to the way technology is designed to reduce exposure to human fallibility?
So I can't answer the question properly apart from saying, why do all the big, hyperscale providers that we use, whether for our personal emails or for social media, why aren't they turning on, by default, these extra protections, rather than having me go and turn them on as an individual because I'm the worried well, versus the mass of the population still not even knowing they can toggle on these types of protections because they’re available these days and they’re free and they really help improve security. So, we haven’t changed primarily because society hasn’t demanded it. And it’s only really been the last couple of years that society around lounge rooms and dinner tables are starting to really get worried about these effects that cybercrime and scamming can have on the community. People like me have been in this space for a long time, and if I told people 20 years ago as I did, I’m involved in trying to stop cybercrime, most of them, most people would ask, is it a thing? Now there’s not a person listening to this podcast who hasn’t either been a victim or knows a victim probably in the last couple of months. So that’s how fast this crime’s grown. So it’s time now that we start demanding technology to be engineered to be safe.
In the meantime, there are steps we can all take to prevent falling victim to Man in the Middle scams. For example, apply system updates, also known as patches, when they become available, this helps prevent scammers from getting into your IT system. It’s a simple security feature that you can enforce in your workplace by introducing automatic updates, that way, the work is done for you and your staff. Multi-factor authentication is also a useful security measure, it’s like a safety net for passwords. And, if you receive a request for payment that includes new bank details, Alastair MacGibbon recommends picking up the phone.
I often describe it as an eminently avoidable crime, because if I buy a service or a good from you, and I have paid you before, and then you tell me, in quotes, “you tell me” by the next invoice a new bank detail, then all I should do is really call you on the number that's listed on the internet or in, you know, if someone still uses them, in the, you know, the white or the yellow pages. And that way you can say, ‘Hey, have your bank details changed?
If you enjoyed this special ‘Crime by Numbers’ episode, subscribe to the INTEBLACK podcast, leave us a review and tell your colleagues and friends about us. And we hope you can join us again next time for another episode of INTHEBLACK.
About the episode
Governments, businesses large and small, and individuals – no one is safe from man in the middle attacks. Just ask Google, Facebook or Puerto Rico.
Also known as payment redirection or invoice fraud, these schemes are devasting, highly profitable, growing and evolving.
Join our cyber and consumer experts to find out what it takes to defeat these money mules.
Tune in now.
Host: Jackie Blondell, Editor, CPA Australia
- Alastair MacGibbon is Chief Strategy Officer at CyberCX. He’s has spent 20 years in the cyber security space, including as a former special advisor to the Australian Prime Minister on cyber security.
- Former Deputy Chair at the Australian Competition and Consumer Commission (ACCC), Delia Rickard spent a decade fighting scammers.
The Australian Government’s Powering Australia page has more on this topic.
The ACCC’s Scamwatch website includes fraud prevention advice, case studies and up-to-date data on what different types of frauds are costing the Australian people.
If you’d like to read more about invoice fraud, including the schemes discussed in this episode, these links have information through press releases, documents and news articles.
Puerto Rican fraud
- $2.6 million for Puerto Rico's pension Fund went to hackers instead | The New York Times
- Puerto Rico loses millions in email scam | Trend Micro
- Puerto Rico online scam targeted more than $4M amid crisis | NBC News
Toyota fraud Toyota Parts Supplier Hit By $37 Million Email Scam (forbes.com)
Facebook, Google fraud
Barbara Corcoran fraud
Phishing in Australia
CPA Australia publishes three podcasts, providing commentary and thought leadership across business, finance, and accounting:
Search for them in your podcast platform.
You can email the podcast team at [email protected]
Research, scripting and editing: Susan Muldowney
Studio production and sound editing: Garreth Hanley
Additional research and scripting: Jacqueline Blondell