Security Risjs Banking Fraud

Security News | Clever Fraud reported by Customer

This morning, I received a phone call from a client of ours who narrowly escaped fraudulent activity. This particular case was interesting as it seems relatively new, so I wanted to share the information with everyone so they can be extra vigilant.

Summary of Case

One of our website customers has been working on a project for a client of theirs and the time had come to invoice for their work. A week ago, our customer emailed an invoice to their client, much in the same way they would normally. Shortly after sending their invoice, the end user client received a follow up email requesting that new bank details were used to settle the invoice, as they had changed banks. This e-mail was sent as if it came from our customer, using identical format header and signature. Our customers have a domain name with the word london in it. Someone had sent an email from an identical domain with llondon.com in it. The e-mail looked identical other than this minor mis-spelling on london. It’s clear that the original e-mail containing the genuine invoice had been read by a third party who has then bought a domain name which looks the same but is slightly mis-spelt.

The end user client fell for this as it looked genuine. They knew they had to pay this amount and they had an email from someone they knew (or thought they knew) to request new bank information be used.

The Transaction

At this stage, the end user proceeded to log into their bank account to alter the bank details on file for their regular supplier. They proceeded to make a large payment to the new destination bank account but luckily, the transaction was stopped by the bank due to a routine fraud check. It is unclear why the bank intervened and queried the transaction but it’s lucky they did. Once the end user questioned this with our customer, it came to light that no email had been sent at all and the request for a change in bank details change was invalid.

Watch out for Fraud

Fraudsters are getting much more devious and you need to stay alert. The success rate would be much higher for a wouldbe fraudster, to intervene within a live communication like this. There is a small window of opportunity and sending their e-mail requesting a bank change at the right time increased their chances of success. Always check and verify bank change requests manually, as the bank probably won’t cover you if you make a payment to a fraudster!

Top Tips

  • Keep your anti-virus and firewall up to date on all systems
  • Use complex passwords and change them frequently
  • Consider using an encrypted password manager like 1Password.com
  • Always verify financial transactions manually (don’t respond by e-mail, pick up the phone!)
  • If technically aware, check the message headers of incoming mail to spot inconsistencies
  • Never click on links in emails you are unsure of and instead go to the bank website via normal methods

Be Unique

For really important accounts like online banking or email, make sure that you never use the same password, or even a variation of that original password more than once. That way, if the password is compromised, the damage is restricted.

Change your password

If you’ve been using the same passwords for years, it’s definitely time to update them.

Cheat!

You could use a password manager to manage all your passwords. This is a piece of software that creates random, hard-to-guess passwords for each site you visit – meaning you only need to remember one single, master password to access them all. We recommend 1Password.com

Don’t use your dog’s name

Social networking means more of our lives than ever are public knowledge – it’s always worth asking yourself ‘could anyone else know the answer? If it is on Facebook or Twitter, the answer is yes.

Lock down your PC

Update your antivirus software regularly and don’t respond to unsolicited emails, text messages or calls that ask you for your security details – it could be a criminal trying to get hold of your passwords.

Mix it up

Use a mixture of lower and upper case letters, numbers and symbols. This vastly increases the difficulty of guessing or cracking your password.

Be creative

Avoid names, birthdays or common words. Think of something personal to you that few people will know.

Use an acronym

A good way to create a long, easy to remember password is to string together the first letters of a song lyric, phrase, or, even better, a sentence known only to you. For example, ‘The Grand Old Duke of York, he had ten thousand men’ could give a password of ‘TGODoYhh10000m!’ or I always read the Telegraph every day could be IartTed.

If people were to rekindle their memory skills and create a password made up of just 11 characters (the same number of digits as a phone number), using upper and lower case letters, numbers and symbols, it would take 7,000 years to crack.

Use memory tricks to train yourself

Memory genius Dominic O’Brien trains himself every day to remember long sequences of numbers. He can remember anything from a random sequence of 54 packs of playing cards to a 2,400 digit number. You can also use tricks such as remembering a picture in your head to make sure your password is securely. So if your password was, say, 1abt, you could remember it with a picture of One apple and a Box of Tulips.

Tell no one

Don’t tell anyone your passwords and, if you use telephone banking, make sure you can’t be overheard.