In a case that highlights how anybody — truly, anybody — can be a victim of invoice fraud, federal officials have reportedly charged two brothers in New York State for an alleged $19 million scam targeting Amazon.
The eCommerce conglomerate issued a press release late last week announcing its cooperation in the investigation and prosecution of the individuals charged by the United States Attorney's Office for the Southern District of New York. The allegations, outlined in a separate announcement by the District Attorney' Office, claim the brothers "manipulated" Amazon's vendor system to have the company pay for goods Amazon never actually purchased.
In a statement, Acting Manhattan U.. Attorney Audrey Strauss described the scam as "a new twist on an old trick" through the use of "complex technology."
In another statement, HSI Special Agent-in-Charge Peter C. Fitzhugh warned, "Invoice fraud is not a victimless crime. Millions of dollars in lost revenue negatively impacts a company's ability to provide cost-effective services to legitimate customers who use the vendor's platform."
This week's B2B Data Digest looks at the rising threat of the business email compromise (BEC) scam and invoice fraud on companies of all sizes in the U.S., Canada and the world over.
A 60 percent increase in ransomware payments signals continued B2B payment attacks, according to the latest data from Coveware. Reports in Security Boulevard said that the 60 percent spike occurred in just three months, with the average payout being $178,254 for Q2 2020, compared to $111,605 in Q1.
Analysts pointed to several high-profile ransomware cases that hit large enterprises, including Cannon and Garmin, as a contributor to the higher payout values. Yet with companies of all sizes working from home, ransomware attacks are also on the rise among smaller firms. A 41 percent increase in remote desktop protocol (RDP) sessions for professionals working remotely has created a broader landscape of vulnerabilities for attackers to target businesses, researchers said.
389 percent more BEC scams hit U.S. businesses between Q1 and Q2, per new Abnormal Security research revealed in its Quarterly BEC Report for Q2 2020. Analysis found that despite the surge, data suggests that COVID-19-themed BEC scams have already peaked. Yet for the attacks that remain, there has been an increase in those targeting employees within finance departments rather than C-level executives. Vendor fraud is fueling a 112 percent increase in payment and invoice fraud attacks, researchers noted, adding that Q2 data show a spike toward the end of June, with Abnormal finding an increase in payment and invoice fraud attacks related to the coronavirus for the first time during the quarter.
"The pandemic has ignited digital transformation efforts at a breakneck pace and cybercriminals are moving just as fast, taking advantage of a new work-from-home landscape amid great business uncertainty," stated Even Reiser, co-founder and CEO, Abnormal Security.
1,000+ companies around the world using Office 365 have been targeted by BEC scams, new research from Trend Micro has revealed, according to Gov Info Security. Reports said the fraudsters have stolen more than 800 sets of credentials in an attempt to commit B2B payment fraud via spear-phishing attacks.
The report said that the attack first began with cybercriminals infiltrating email accounts to facilitate their phishing attacks, with analysts finding that these fraudsters targeted high-level executives in finance departments in particular.
$14.8 million in BEC-related losses hit Canadian businesses in the first half of 2020, with a total of 951 spear-phishing reports, warns the Canadian Anti-Fraud Centre. BEC attacks are on the rise in Canada, analysts say, according to reports from IT World Canada.
Unsurprisingly, experts have pointed to the COVID-19 crisis as a key factor behind the rise in the scam, which involves fraudsters stealing company credentials, posing as legitimate vendors or submitting fraudulent invoices in an effort to infiltrate companies' accounts payable departments and reroute supplier payments into criminal bank accounts.
While credit card fraud volume may be higher, experts warned that BEC scams tend to result in higher payouts for fraudsters, and the coronavirus is making it even easier to siphon funds out of business bank accounts due to employees working remotely.
"Because of all the remote access, there's a lot less in the way of controls," said Payment Software Co. VP Tom Arnold in an interview with the publication. "It's quite a problem."