An organisation falls victim to cyber crime by paying a large sum of money after criminals infiltrate the Office 365 system.
We spoke with Merseyside Police about a common cyber-crime that resulted in one organisation paying out a huge amount to criminals without knowing they were monitoring every single email in a member of their finance team's Office 365 account.
- The organisation's finance team set out to pay a regular supplier.
- The finance team receive an email explaining that the supplier’s bank details have changed.
- Wisely, the finance team called the supplier to confirm whether the bank details had changed and the supplier mentioned that in fact they had not and the email was fraudulent.
- The finance team forward the fraudulent email to the supplier, unknowingly with a typo in the email, resulting in the supplier not receiving the email, but the hacker receiving it instead.
- Hacker responds posing as the supplier mentioning that all is good to make the payment to the changed details.
- The finance team therefore makes payment of a substantial amount.
- Supplier gets in touch a few weeks later asking where the money is.
- A hacker had gained access to the organisation’s Office 365 admin account - usually due to fake Office 365 emails asking to login, where credentials are then harvested and sent to the attacker.
- Hacker then sets up hidden rules on the email account, so everything that the user sends and receives, the hacker receives a copy.
- Hacker gains the ability to spoof emails, so when the financial team send an email asking for confirmation, the hacker can reply with an email that looks as if it was from the legitimate supplier account.
- Therefore, the hacker responds to the email questioning the change in bank details with assurance that this was all correct.
Cyber insurance allowed the organisation to be reimbursed the full amount however, a new situation emerged…
- Secondary Situation..
- The same person who was responsible for supplier payments was also insurance claims
- The insurance company received an email from the person, letting them know that the organisation had changed their bank account details and that the funds should be transferred there instead.
- The insurance company found this suspicious and called the organisation to discover it was yet another fraud attempt.
- This alerted the organisation that it was a certain person in finance whose account was compromised. They were therefore able to remove the hidden rules and re-secure the compromised account.
- Further actions to take to prevent this sort of attack would be….
- Utilise multi factor authentication (MFA) to prevent unauthorised access. MFA only grants access after the user presents two or more pieces of evidence. For example, a piece of knowledge (something the user knows, such as a password), a possession (something only the user has, such as a one-time passcode) and something the user is, such as a fingerprint.
- Staff training to empower staff to spot fraud attempts and phishing emails
What happened to the stolen money?
The money was quickly transferred into an account in the North West and promptly then transferred offshore, all within a few days. The victims of this type of crime can take several weeks before they realise – and by that time, the money is long gone.
Account holders such as this are known as “Money Mules”. These Money Mules are paid to turn a blind eye while the criminal transfer money into the account and then back out again, this is money laundering. Money laundering throughout the UK’s financial system is now estimated to be in excess of £90 billion a year.
Social media plays a key part in recruiting people to become Money Mules, however the punishment once found by law enforcement can be severe, including long prison sentences of up to 14 years and the inability to open a UK bank account in the future.