JRB - Fotolia
Cyber fraudsters are registering domains that appear to belong to UK universities so they can defraud supply companies, according to Action Fraud, the UK cyber crime reporting centre.
These domains are used to contact suppliers and order high-value goods such as IT equipment and pharmaceutical chemicals in the university’s name.
Suppliers receive an email claiming to be from a university, requesting a quotation for goods on extended payment terms. Once the quotation has been provided, a purchase order is emailed to the supplier that is similar to a real university purchase order.
The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university.
The items are then received by the criminals, but no payment is ever received by the supplier, with fraudsters impersonating one particular UK university estimated to have netted around £350,000 worth of goods in this way.
Pauline Smith, director of Action Fraud said this this type of fraud can have a serious impact on businesses, which is why it is so important to carry out all the necessary checks, such as verifying the order and checking any documents for poor spelling and grammar.
“We know that there is a lack of reporting by affected companies and without this vital intelligence, a true picture of this type of fraud cannot be reflected,” she said, urging any company that has been targeted in this way to report it to Action Fraud.
Official statistics show that cyber crime is on the rise in the UK, but the size of the problem in the business world is really unknown because not all victim organisations are reporting incidents. For this reason, UK law enforcement is encouraging all businesses to report cyber crime as soon as possible, regardless of the size of the organisation.
To combat this type of fraud, commonly known as European distribution fraud, Action Fraud is advising suppliers to verify and corroborate all order requests from new customers using telephone numbers or email addresses found on the organisation’s website, not the details provided by email.
If the order request is from a new contact at an organisation that is an existing customer, Action Fraud advises that suppliers verify the request through an established contact.
According to Andy Norton, director of threat intelligence at security firm Lastline, this type of cyber criminal activity is similar to business email compromise (BEC) attacks, except that, impersonation not compromise has taken place.
In BEC attacks, fraudsters typically gains access to a corporate email account and spoofs the owner’s identity to defraud the company or its employees, customers or partners of money. The FBI recently warned that global losses related to BEC scams have risen by 136% since December 2016 and global losses in the past five years are estimated at more than $12.5bn.
In this variation of BEC attacks, Norton said the best defence is to have robust policies and procedures that ensure a second pair of eyes validates business transactions and the shipment of goods, services or payment.
Spoofing sites big business
Kevin Bocek, chief cyber security strategist at Venafi, said spoofing sites is now big business, with more than 14,000 certificates used to set up phishing sites spoofing PayPal alone in 2017.
“This shows the power of the padlock for cyber criminals, allowing them to appear trusted so that they can trick unsuspecting businesses out of huge sums and damage brand reputations across the internet,” he said.
According to Bocek, these attacks are part of a much larger problem that jeopardises the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed.
“The padlocks [based on legitimate security certificates] are supposed to signify a trusted machine identity – a digital certificate that means a website is genuine.
“But now cyber criminals can obtain certificates allowing them to look authentic for virtually nothing,” he said. “This is a high-risk, high-impact threat that security teams cannot ignore anymore.”