West Midlands businesses are being alerted to watch out for online-criminals who are targeting unsuspecting workers with scam emails containing fake invoices.
In the latest wave of cyber-crime, fraudsters are sending out fake invoices which often appear plausible but, when opened, infect computers with dangerous malicious software, known as “malware” giving them access to the information stored on it.
Self-employed, freelance and contract workers are particularly vulnerable because they may receive invoices regularly from a number of sources and could unwittingly open an invoice attachment before realising that it is fake.
West Midlands Police and Crime Commissioner, David Jamieson, who has made the promotion of economic development a priority in his annual Police and Crime Plan, says businesses need to become more involved with crime prevention organisations to help beat cyber-crime.
David Jamieson said: “Crime is not falling but changing in our region and online security is an increasing problem for all businesses which is why we all need to tackle this issue head on.
“The West Midlands Regional Cyber Crime Unit (RCCU) not only works with local businesses who have become on-line victims of crime but also shares best practice to reduce the chances of other businesses becoming vulnerable to similar cons. To further underpin the drive to tackle cyber-crime, the RCCU is shortly to appoint a Regional Cyber Crime Protect & Prevent Officer who will provide the latest help and advice to our business community.”
One of the latest scams to come to the attention of the RCCU is a spate of ‘spear phishing’ where a criminal will try to target specific people or departments in an organisation, often within the finance and accounts team.
It may start with a simple email or phone call to glean information and can sometimes even come from the company itself which has unwittingly released useful information on the internet or in the media.
Once the criminal has some idea of the type of business being conducted or the sort of customers it regularly deals with, they will try to impersonate a genuine company with fake invoices or requests to change bank accounts.
Often emails contain infected ‘invoice’ attachments. The scam usually involves an email with an attachment along the lines of “Please find attached our invoice for payment following the recent work we did for you. Payment within 30 days please”, or even just a blank email with an attachment called ‘Invoice ABC123’. The receiver will probably be confused and may not recognise the sender, so will open the attached ‘Invoice’ to try and see the detail.
Unfortunately this allows a small malicious programme to run and the computer is then compromised, allowing the criminal to steal banking details or alter transactions to misdirect funds.
David Price, Managing Director of Birmingham-based marketing consultancy, Metropolis2, admitted: “It is getting harder all the time to spot the fake emails. It is easy to detect the scams when they claim to come from a bank you don’t even have an account with, but it is harder to spot dodgy communications when they purport to be from a company that you have dealings with.
“On one occasion, I had just purchased a web domain name for a client and I received an email and “invoice attachment” which on the face of it looked like it had come from the domain company I had been dealing with. I was just about to open it when I discovered that the same communication had been sent to several colleagues quoting the same invoice number, which rang alarm bells. Ten minutes later the real invoice arrived but it was a very close miss and it was lucky that I spotted the scam email before I opened the attachment.
“Cyber criminals are becoming increasingly cunning. My staff know not to open zip files which traditionally have been used to carry malware but now scam attachments can include word and excel documents so it is a constant struggle trying to stay ahead of the scammers.”
David Jamieson continued: “There are important steps that companies can take to protect themselves. For example, the Cyber-Security Information Sharing Partnership is a joint industry government initiative designed to share best practice and advice on the latest threats and vulnerabilities.
“I would urge companies in the West Midlands to become involved in the regional forum which can be reached by emailing RCCU@west-midlands.pnn.police.uk . By all working together we can help to significantly reduce cyber-crime in our business community.”Back to News Archive