Another Canadian company has fallen for an email invoice scam.
Waterloo Brewing, an Ontario maker of beers, said it recently fell victim to a “social engineering cyberattack by a sophisticated third party” that resulted in the wire transfer of $2.1 million earlier this month.
Details were sketchy, but the company said in a news release Nov. 21 that someone pretended to be the employee of a brewery creditor and requested the money transfer.
Often called a business email compromise scam, these incidents usually involve a criminal telling a person in the finance department that their company has changed banks or bank accounts and funds should now be sent to the new account.
The brewery has tried and failed to recover the money. It has notified Waterloo Region Police, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and the United States’ Finance Crimes and Enforcement Network (FinCEN).
Private sector firms, municipalities and churches have been among the victims of this type of scam, which relies on people who receive these email requests trusting they came from a real person. Sometimes the attacker impersonates a senior executive of the victim’s own firm.
Usually, the attacker spoofs the trusted person’s email to enhance credibility or hacks an official’s email so the sender’s address is legitimate.
Related story: How the city of Ottawa was stung by email fraud
There are several strategies organizations can use to fight this kind of scam. First, staff handling money have to be trained to be suspicious of email requests to change bank accounts and independently verify them. That means not calling a telephone number in the email to confirm the move, because that likely means calling the attacker. Internal email messages should be colour-coded to distinguish from those coming from outside the enterprise. That will highlight a message from a purported company official if it is being spoofed from an outside email address.
Related story: How to reduce the odds of business email fraud
“It’s all about social engineering,” said Dinah Davis, vice-president of Arctic Wolf Networks, a California-based SOC-as-a-service firm with a large development team in Waterloo. As a result, employee awareness training is vital, she said. Part of that is emphasizing the need for independent verification of requests for bank account changes or large transfers of funds.
She also said it’s easy for email admins to either colour-code external messages or flag them with an “External” tag automatically added to the subject line.