There are a few practical – and costless – steps you can take to address a couple of security the issues which affected our clients recently: manager and supplier spoofing.
Manager spoofing
Manager spoofing is where an attacker pretends to be a senior manager in your business. An email purporting to be from the manager, or business owner, will be sent to someone in accounts, who has authority to make an online bank payment. These emails are straightforward, “Could you pay £1427.00 to Supplier Co., account number and sort code are XXX XXX. Needs to be done now”, and will appear to come from the manager, although the return email address will be the attacker’s. If this payment is made, a second request will be made the following day, usually for a higher sum.
Supplier spoofing
Supplier spoofing is a variation on the same theme but it is far easier for an attacker to execute. All they need to do is email, supposedly from one of your suppliers, with a change of bank details. This type of legitimate email is received regularly by most businesses, but few have checks in place to ensure their next payment doesn’t go to a fake account. We have even known clients to receive a telephone call from the attacker confirming the change of bank details.
There is no malware utilised in any of these attacks, so systems-based prevention is difficult. What’s needed are strong process controls. Staff should be informed of the threats and a policy document drawn up detailing the following:
Requests from managers to make payments to new bank accounts should not be made without face-to-face or telephone confirmation.
All changes to supplier bank details need to be confirmed via pre-existing channels.
Management sign-off required for new payees or changes to existing payees.
Initial payment to a new bank account should be capped and receipt confirmed.
Internal checking: ensure no one person is able to authorise, pay and review transactions.
You can now get these specific risks added to your insurance policy, without an increase in premiums, but only if you have the processes and procedures in place. So it’s a good idea to review procedures, write them down, distribute to staff, and make sure you add insurance cover for these risks next time you renew.
Let us know if you would like some help with this, we can give you a template.
