Cloud services - Traceability to increase your security

We want to share the journey that one of our customers has taken to increase their security. Our hope is that others will gain an understanding of how a fraud like this could be feasible, but more importantly, experience on how it could be prevented.

Clear mapping by the fraudster

The company contacted WeSafe in the fall of 2017 because they suspected that they had been exposed to fraud. The fraud involved the transfer of a substantial amount of money to what they initially thought was a trusted recipient with whom they had previously conducted transactions.

Initially, the fraudster has gained access to an account belonging to the company. Whether this was pre-selected or a coincidence is not known. Once with access to the user's account, the fraudster was able to calmly map the company's procedures by reviewing email conversations, calendars and available documents. In this way, it was clear how the process of transactions takes place, when it takes place and who is responsible for it. In other words, this became a manual on how the fraudster could accomplish his task and eliminate the risk of being caught. 

A false invoice is paid - twice

After what appears in retrospect to be a thorough investigation, the scammer starts his work by setting up an inbox rule on the hijacked account which meant that emails from two specific colleagues would be immediately placed in a secret folder. This way, they will never be flagged in the inbox and the user will not see them. This is as a result of the fraudster knowing that these were the people to be consulted regarding invoice ambiguities.

Once the inbox rule was in place, the fraudster could send a fake invoice that mimicked previous invoices the user had received in the past. The simple reason why the fraudster could imitate an invoice is because old invoices sent were available. Before the employee completed the transaction on the fake invoice, emails were sent to the two aforementioned colleagues for advice on the invoice. By creating an account that resembled one of these colleagues, the fraudster was able to reply to this email himself that the transaction would be carried out, while warnings from the real colleagues never reached them due to the inbox rule. After the transaction, the fraudster sent another email saying that the payment had not gone through, so another payment was made.

Detection and report

When the colleagues at the workplace later spoke, they realized that something was not right. when they realizes that, despite being advised not to pay the invoice, the person has done so - whereupon the colleague said that she had been told that it was okay to proceed. In order to find out what had actually happened, WeSafe was contacted and was quickly able to confirm the previously discovered scenario. The report that could quickly be produced to describe the course of events could be used to draw up a police report, but also as final evidence in the district court when the verdict was confirmed and the fraudster was convicted. 

How can this type of fraud be prevented?

The security you have as a customer in Microsoft's cloud services is that all the events that occur in your IT environment are logged according to the strict requirements of the GDPR. For the same reason that WeSafe could follow the course of events in this individual fraud, you can also set up notifications that are triggered by administrative or suspicious actions. An example used in WeSafe's Security as a Service is that the administrator is notified when a user manipulates rules on the mailbox inbox. After becoming a victim of the fraud, the company's management felt that this was taking up too much time and energy for the employees who were constantly worried about being affected by something similar. They then saw the financial benefit of strengthening the company's security in the long term by outsourcing IT security to WeSafe. By doing this, their unique situation is evaluated which leads to recommendations that suit them. This has in a short time resulted in their employees being able to focus on their daily work that they are meant to do instead of worrying about security.

Would you like to know more about how WeSafe can help you strengthen your security, both through long-term work and less complex efforts that make a big difference - such as using two-step authentication for your accounts? Get in touch with us and we'll tell you more!