26/06/2023
Invoice hijacking is on the rise - what is it and how to protect yourself.
It is a busy time of year and everyone is receiving more invoices and other financial communications than usual, but are you sure that every invoice is legitimate?
Invoice hijacking is on the rise, and receiving a hijacked invoice is indicative of greater security vulnerabilities. Read on to find out about this threat and how to protect yourself.
What is a hijacked invoice?
A hijacked invoice is a legitimate invoice that has been intercepted by an attacker, and the account details have been changed. The name on the invoice is correct, the invoice number is correct and everything else looks normal, but if you make payment using the supplied bank details, you will have unintentionally sent the money to a hacker!
How does invoice hijacking work?
A hacker breaks into an email account
If you have received a hijacked invoice, it is usually because either the sender or recipient have had their email account compromised by an attacker.
This can occur through various methods, including phishing, social engineering, password guessing (or password reuse), incorrectly configured mail servers or exploiting security vulnerabilities.
The hacker is reading your mail
Once inside the compromised email account, the attacker can monitor the email communication between the sender and you. They search for incoming invoices or any communication related to payments.
They monitor for invoices
The attacker specifically targets invoices or payment-related emails to modify. They may search for keywords or known senders associated with financial transactions. The attacker may choose not to act until an invoice worth a large amount is received.
The Hacker modifies invoice details
After identifying an invoice, the attacker alters the bank account details within the email or attachment. They replace the legitimate account information with their own, directing the payment to their account instead.
Concealing Their Actions
To avoid detection, the attacker may take steps to cover their tracks. They can delete or archive the original email to make it more difficult for the sender or recipient to identify the changes.
Sending the Altered Invoice
The attacker allows the modified invoice to reach your email inbox, making it appear as if it's from the legitimate sender. They rely on your trust in the sender's email address and the appearance of the email to manipulate you into following the modified payment instructions.
Unauthorized Payment
If you proceed with the payment based on the altered invoice, the funds are sent to the attacker's account instead of the intended recipient.
What do I do if I receive a hijacked invoice?
Have a policy around verifying supplier information
When you receive an invoice, contact the sender via phone and confirm the payment details. Many businesses make it a policy to contact new suppliers via phone to confirm account details and won’t change those details without additional verification.
If a phone call reveals incorrect payment details you need take the following steps:
Contact the invoice sender
Contact the sender and let them know you have received a hijacked invoice from them.
If the sender's account has been compromised then an attacker is likely sending fraudulent emails to every contact in the mail account.
Contact the Bank.
If you have made payment on a hijacked invoice call your bank's fraud line and inform them. They may be able to stop the funds from being transferred.
Once you have contacted your bank, use the BSB lookup tool here (https://www.bsbnumbers.com) to identify which bank has the attacker's account. Contact the fraud line for this bank and let them know about the hijacked email.
If you have already paid the invoice there may be a chance to recover your funds, and even if you haven’t made a payment, alerting the bank may help catch the hacker and will prevent others from having their funds stolen.
Check if your email account has been accessed from an unknown location.
Receiving a hijacked email however does not mean the sender is compromised, quite often it is your own mailbox that is being accessed by an attacker.
Most email providers provide a way to view where an email is being accessed from. It will also often show failed login attempts and other information. Any login from outside of Australia suggests the account has been compromised and is being accessed by an attacker.
For a Microsoft email (Office 365, Outlook.com, Hotmail.com, Live.com etc.) you can use this link to see your account activity: https://account.live.com/Activity
For Gmail and Google Workspace email accounts you can click the details button from the very bottom right hand corner.
For Bigpond email you will need to contact Telstra support.
What to do if your email account is compromised.
Lock the attacker out
If your email has been compromised you will need to lock the attacker out. The first step is to change your password to a unique and complex password that you have not used anywhere else.
If your email has been compromised, it may have been used to gain access to other services you use such as banking or social media, so you should also change your passwords for these services.
View your email history
Go through your sent emails and make sure there are no unknown emails sent from your account. Go through your recently paid invoices and confirm they too have not been hijacked. Report any suspicious emails in or out and alert senders and recipients.
Secure your account.
Setup and use 2fa (second-factor authentication) wherever possible. 2fa is the service in which a code is displayed in an authenticator app on your phone that you input on login.
There are also various security settings that can be enabled depending on your email provider. An IT professional will be able to help you correctly secure your account.
Move to a better email provider
Many free email services such as those provided by ISPs are using older technology and are no longer fully supported by the vendor, and really should be considered insecure. If you have an .com or .com.au account then you should consider moving to a new email provider.
More information
For more information on hijacked invoices and other cyber threats contact the Australian Cyber Security Centre or read more here: https://www.cyber.gov.au/report-and-recover/recover-from/email-compromise/what-do-if-youve-been-attacked
