Monday 20 May 2019

How email scammers are siphoning millions away from Irish firms

Email redirection fraud is a serious problem in Ireland, hitting high-profile victims. Adrian Weckler looks at the factors behind the racket that police say now involves 'hundreds' of students

Email redirection fraud is a serious problem in Ireland, hitting high-profile victims.
Email redirection fraud is a serious problem in Ireland, hitting high-profile victims.

Adrian Weckler technology editor

What have Trinity College, Dublin Zoo, and the Louth and Meath Education and Training Board got in common? Sadly, they've all been conned out of large amounts of money by clever forms of email fraud.

Dublin's oldest university was stung for almost €800,000 in 2017, when a scammer got hold of the email account owned by an employee of the college's fundraising division. The crook transferred the money to another account. While Trinity recovered €218,000 of the money, it also spent €184,000 on investigating the cyber fraud.

That same year, Dublin Zoo was hit for almost €500,000 when fraudsters posed as one of the zoo's suppliers, claiming that their banking details had changed. When the zoo then paid subsequent invoices it received from the actual supplier, the scammers got the cash. While neither the zoo nor Gardai have officially commented on the money's whereabouts, it's understood that most of the cash was retrieved.

A similar scam cost the Louth and Meath Education and Training Board, which oversees the education of 35,000 students and 16 secondary schools, almost €250,000.

Meanwhile, Ryanair got tricked in 2015 when over €4.5m was diverted from an account meant to pay fuel bills.

This kind of fraud is called different names, including 'invoice redirection fraud', 'invoice fraud' or 'business email compromise fraud'. It's related closely to 'CEO fraud'.

Trinity College Dublin fell prey to email fraud
Trinity College Dublin fell prey to email fraud

The basics are that someone poses as a known supplier or executive inside or outside the company. They use an email address or domain to dupe a company's financial officers into transferring sums of money to bogus accounts they've set up. They carry this off often by posing as a supplier that has 'changed' its bank account details.

It's not just Irish organisations that are getting hit.

Even sophisticated tech giants get caught by fraud. Facebook and Google between them saw close to $100m (€89m) drained away in 2015 using a series of forged invoices, contracts and letters that appeared to have been executed and signed by executives at the multinational firms. Last month, a Lithuanian man pleaded guilty in a US court to the fraud.

One of the fundamental problems of email, invoice and CEO fraud is that the internet makes it incredibly easy to fake an email, a web domain, a text number or even a phone number.

This ranges from so-called 'prank' services such as Spoofbox, Deadfake and Anonymailer to much more sophisticated bespoke systems. Anyone with even a cursory knowledge of programming can also get in on the act with a few simple lines of code. In about 10 minutes, it's possible to send someone an email purporting to show the email address of almost anyone - private or public - you choose.

Systems try to deal with this by using protocols such as DMarc, which gives a recipient's mail system an idea of a sender's trustworthiness. But only a minority of web domains use this, leading to problems with standardisation.

"DMarc is a good indicator of hygiene," says Brian Honan, founder of cybersecurity specialist firm BH Consulting.

"But just because you have it doesn't mean that people can't spoof you. It just means extra locks on your door."

Precise figures as to the exact scale of invoice-redirection fraud (and related scams like CEO fraud) in Ireland aren't publicly available. But one of the country's top investigating detectives says that it's a "rising problem" here.

"It's very difficult or know how many there are on a weekly basis," says Detective Chief Superintendent Patrick Lordan of the Financial Intelligence Unit. "Some weeks we come across one or two, some weeks it's more or less. Some are investigated locally, while the bigger ones are where the money goes out internationally. But there has been a substantial rise in prosecutions for money laundering in Ireland. We have a lot of cases underway. People are being charged."

A recent survey by Behaviours and Attitudes polling company, using Central Statistics Office data, found that 21pc of Irish SMEs were targeted for invoice redirection fraud in 2018, with about a third targeted for financial fraud generally.

Of these, the survey found that one in 18 of the attempts were successful.

Overall, a total of 4,257 Irish companies found themselves hit by some sort of IT-based scam in 2018, with email phishing (72pc) still the most common form of attack. 'Vishing', which is similar to phishing except using a phone, was experienced by 26pc of victims with just over a fifth seeing an invoice redirection scam get to them.

One big problem that Irish companies have is that more than a third don't look to confirm the veracity of claimed new bank details from a supplier. And only one in four say they have invested in fraud detection software.

But if and when you do notice that your firm has been affected, time is of the essence to get your money back, says Lordan. "If you leave it more than two or three days, it's gone," he says. "We sometimes find this being done on a Friday evening, when everyone's then gone for the weekend."

Lordan says that firms' first instinct - to see whether it's an inside job - is usually wrong and ends up wasting time.

"What a lot of companies do when they find out that they've lost, say, €100,000 to this type of scam is they assume that someone internally must have set it up," he says. "So they spend a lot of time looking at internal controls, but that's often just wasted time."

Meanwhile, the latest Central Statistics Office figures show that fraud (in general) rose by almost a fifth in 2018. That means an extra 1,000 crimes recorded compared to 2017, even though this classification takes in a wider variety of offences than simply email, invoice or CEO fraud.

This kind of fraud spawns a very different class of criminal behaviour to what we normally think of as email scams

Forget about misspelled emails claiming to be from African princes. These scams are sophisticated, tone-perfect and personalised.

"They can copy an executive's tone of voice," says Niamh Davenport, head of fraud prevention at the Banking and Payments Federation Ireland.

"If your CEO writes in a certain way, they would copy that. They may have hacked into the CEO's email a couple of months back and then analysed how he or she writes or communicates.

"So that when they see their chance, they go in and sound more realistic."

In this way, the modern email fraudster is far removed from the kind of phishing attempts that are laughed at by office workers.

"These are not the Nigerian 419 scammers we would have been aware of before," says Conor Flynn, managing director of the security specialist firm Isas.

"What you're up against now is highly capable, motivated people who see the opportunity to commit a crime. These are people who are patient, whose first language is English, who have business acumen. They gradually get involved in business discussions in their victims' networks."

So what happens when a scammer siphons off a company's money into a separate account? How do they actually draw the cash down?

In Ireland, that's increasingly done using college students. "What happens is that someone approaches a student and says 'a friend of mine wants to invest here in Ireland, but it's taking a while to get past the red tape, so I'll pay you €500 to use your account'," says Detective Chief Superintendent Pat Lordan.

"There are several hundred student accounts in Ireland being used for this type of activity. That's because the easiest way to get money out of an account, as well as slowing down an investigative trail, is to wire transfer it to 50 different accounts. It's like a spider's web. And then they'll have people go and collect the cash using the students."

The students, Lordan says, are presumed to know that they're involved in something fishy. "We've seen one student do it two or three times, so they know what they're doing," he says.

"And they are now getting into trouble for it. Some have been charged and more will be charged. Custodial sentences are now in the frame. Because without a money mule, this fraud often doesn't work. It's like drug trafficking."

As to who is responsible for such scams and where the money goes, Lordan says it varies.

"Three weeks ago, we saw a company hit for €150,000," he says. "The money ended up in Belgium. Through contacts we had, we found out reasonably quickly and within 48 hours we had frozen some of that money."

Holland is another place that money has been transferred, while Asia is proving a popular destination now too.

"We've had a lot of success getting money back from Hong Kong," he says.

"It often depends by country as to what agencies have the power to freeze suspected money laundering funds. In some countries it's the police, in other countries it's other agencies.

"In Ireland we're lucky because the financial intelligence unit here is a police body so we can move quickly."

In an age of artificial intelligence, machine learning and biometrics, new technology can sort this problem out, right? It seems not. While some machine-learning techniques are being deployed, the extent of human issues at the core of what's going on makes finding a technological solution difficult.

That hasn't stopped some companies trying. "We apply sophisticated analytical techniques to vast amounts of payments data to build models which identify suspicious activity," says Vocalink Analytics, a division of Mastercard. "Every time a business pays an invoice, a behavioural signature is left behind. By analysing these signatures, and the signatures of historical frauds, we are able to identify and flag suspected incidents of fraud."

NatWest recently claimed to have saved its customers €9m through machine learning using Vocalink's technology. The Royal Bank Of Scotland is also using Vocalink's services.

The banks, which often have most to lose, are to the fore in deploying such systems.

Artificial intelligence is also being looked at as a possible aid.

Europe's biggest bank, HSBC, has said that it aims to integrate artificial intelligence software supplied by a UK startup called Quantexa. This would screen customer transactions and other data, as well as some publicly available data, to search for tell-tale signs of fraud.

Some of the data scanned by Quantexa's software includes news reports, company directors and phone numbers.

But quick solutions may be a pipe dream.

"Any bank hoping for a black box in the corner that will sniff out the launderers will be disappointed," said Rob Gruppetta, head of the UK Financial Conduit Authority's financial crime department in a recent speech.

"But the technology has the capability to better achieve what we all want, which is keeping finance clean."

Indo Business

Also in Business