editione1.0.0
Updated October 9, 2023Invoice scams are a common type of attack recently because of the low-effort and high-value reward from an attacker’s point of view. We explained how these attacks work in Disable Automatic Forwarding. As you know now, security is all about multiple steps you can take to protect yourself, rather than “this one weird trick that fools all hackers.” Those don’t exist.
Taking the technology outside the equation, one step you can add to an already existing payment process is to verify any new or change requests. This means:
When a new contact that needs to be paid is onboarded, you call them or chat to them in person to confirm where payments are made.
When an existing contact needs to change where they are paid to, you call them on a number you have used before and ask them to verify the new account.
important It doesn’t matter much if you call the contact or see them in person, the main point here is that any new or changed data needs to be verified outside of the original digital channel. You can even text them if you want, so long as you are not relying on the same communication channel as the original request. If that contact’s email is under control of an attacker, you can catch and stop the attack before you pay into the wrong place.
The best way to dovetail this into your existing process without adding too much friction is to have it as a step each time you go to add or edit a contact in your accounting software.
confusion Make a note in any description or note field of the date you verified the details, and with whom. This way there is a record you can fall back on just in case. If you outsource your invoicing and payments to a third party, make sure this step is explicitly included in your terms of service or agreement.
Ideally, anyone who is paying your invoices should do the same. And it doesn’t hurt to ask your customers to verify any invoice changes if they come through by calling you or reaching out to you directly. They might not be able to accommodate, but it is worth asking.
Sometimes things go wrong, and you will need help. The thing you can do now to help future you is to make that contact list now of who you would need to contact. To get started, start with a very simple spreadsheet or document (that is stored in a central place, like a shared drive) and list out all the key roles and people involved (if it is outsourced to someone else). This may include:
email administrators
website and domain administrators