In the shoes of a fraudster

The number of cases of invoice and CEO fraud is growing rapidly. The wide range of companies affected – from local player to multinational – teaches us that every company appears on the fraudster’s radar. Understanding how fraudsters operate helps organizations to prevent and combat malpractices. Our Chief Information Security Officer Stijn Meeuws takes the opportunity to put himself in the shoes of a fraudster.

A fraudster is in a luxury position nowadays. The infinite number of potential targets, the countless vulnerabilities and the multitude of possible approach methods ensure that they can go in any direction they want. One of the first choices the fraudster makes is between a targeted approach or a more diffuse one. Stijn Meeuws explains: “In the first case, the fraudster bets on a limited number of horses with a larger profit per victim. With a more diffuse tactic, also known as ‘spray and pray’ in the technical jargon, they are aiming for large volumes with usually smaller amounts. The success rate does not have to be too high in order to collect a nice ‘income’.”

Going solo or with partners in crime

A second important dilemma for fraudsters is whether to operate alone or to join a criminal organization. A clandestine company often has greater clout and a wider range of instruments at its disposal to fool businesses. Nevertheless, individual fraudsters still often make a killing from their attic room. Even though, after a while, they will often be surrounded by people and grow into a real ‘company manager’.

Marketplace for data leaks

At least as lucrative is a role as a scout, whereby you locate vulnerabilities by scanning company servers continuously. You then sell the location of those pain points to other fraudsters on an illegal marketplace. Stijn points out that a few months ago, many hackers took advantage of the security hole in Microsoft Exchange to penetrate the mail servers of organizations. “Thanks to that external service, a criminal no longer has to carry out the entire fraud work from A to Z. This gives them the opportunity to focus on their ‘areas of specialization’,” Stijn adds.

Invoice fraud: various degrees

A fraudster can cash in on a security hole in various ways. The security hole at the mail server might offer a possibility of sending an email from the supplier’s email address. The fraudster then formally notifies the customer of the changed account number. They then only need to change the account number on a legitimate invoice to achieve success.

It’s even better for the fraudster when they notice that supplier X sends an invoice to customer Y on a fixed date. This enables them to adjust the timing of their actions accordingly, which often completely eliminates the suspicion of the customer.

CEO fraud: authority opens doors

But according to Stijn, the fraudster may not even have to look that far. “They can just as easily achieve success by sending a simple payment order on behalf of a high-ranking person, such as the CEO or CFO. The compelling nature of the message and the sense of authority emanating from the sender may well make the employee go ahead and make a payment.” Nice touch for the criminal: victims rarely want to disclose their unpleasant repercussions with CEO fraud out of a sense of shame.

De Tijd (a Belgian newspaper that focuses on business and economics) recently reported that sensitive company and government services are still failing to protect their servers against the very dangerous leak in Microsoft Exchange Server. This was revealed by an analysis of over 1,600 vulnerable servers in our country. “Valuable passwords of ‘administrators’ are sold to criminals. Those who do not implement the latest ‘patches’ to protect their servers are playing with fire,” the newspaper wrote on September 4. Katrien Eggers, spokeswoman for the Centre for Cybersecurity Belgium (CCB), considers laxity as a possible cause, but also pointed out that an update is not always easy for an organization. “They choose to do this once a month, or twice a year. Often this has to be done outside of working hours, because the systems are unavailable for several hours when such a patch is installed.”