The ever-evolving thefts that businesses face in the cyber landscape are increasingly taking the form of “social engineering” and “invoice manipulation.” A recent string of such attacks has hit equipment and event rental businesses, and those in the industry are encouraged to be on their guard.
“There are two different forms that I’m seeing — social engineering and invoice manipulation,” says Alastair Jones, owner of J.A. Jones Insurance, Austin, Texas, and an ARA Insurance preferred agent. “This has happened to five of my insured customers since Thanksgiving. It seems that right now, the only ARA [American Rental Association] members that are getting hit are in Texas, but it’s going to travel. Especially since the thieves have had success in getting money.”
The Cybersecurity & Infrastructure Security Agency (CISA) describes a social engineering attacker as someone who seems respectable and possibly claims to be, for example, a new employee or repair person, even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network.
This is the kind of infiltration that happened to at least one of Jones’ rental business clients.
“Someone broke into an event rental company’s email and sent a message to a large tent customer of theirs, saying, ‘We’ve changed our banking information. Can you send the money for the invoice that you owe us to this new account?’ And the customer did. $350,000 went to a nefarious bank account. So, the customer still technically owes the rental store the money. The rental store now has to rely on their customer to either pay again or have the insurance coverage that will pay for this,” Jones says.
Lawinsider.com explains invoice manipulation as the distribution of any fraudulent invoice or fraudulent payment instruction to a third party as a direct result of a security or data breach.
This type of manipulation also has been seen in rental businesses, according to Jones.
“An example of this would be if someone broke into the network of a product supplier to a rental store,” he says. “A rental company who ordered product from that supplier might receive an email from them saying, ‘Congratulations on purchasing these two new machines. Here is how you pay your invoice.’ Everything in the email is exactly like what the supplier would typically send out. So, the rental store pays the invoice, and it goes to the bad guy’s account. Then, the supplier calls up the rental store a few weeks later saying, ‘We never got your money. You still owe us $100,000.’ This is a massive problem for our insured customers because, in this scenario, they could be out $100,000 and the supplier can only say, ‘I’m sorry, but you still owe us the money.’ And the rental store’s bank can’t help because the money has gone out. So, it’s painful to our customers — a $100,000 pain.”
For cybersecurity recommendations or to access articles with tips to avoid social engineering, visit cisa.gov.