Phishing Scam Victimizes Top 40 Distributors

Plus, nine tips for how to protect your company.

By Christopher Ruvo, ASI Central

Counselor has learned that hackers tricked several Top 40 distributors into sending more than $100,000 to bank accounts controlled by the criminals – accounts the promo companies thought belonged to a Top 40 supplier. It’s the latest in a lengthening list of successful cyber assaults against high-profile firms in the promo products space.

In the deviously subtle phishing scam, the hackers emailed the distributors from an email address featuring a domain that was nearly identical – but for one letter – to the legitimate email address for the Top 40 supplier. The high-tech criminals doctored the email body and sender name to appear to be from a real-life accounts receivable leader at the supplier firm.

In the message, the would-be crooks lied that the supplier had changed banks. They instructed that future automated clearing house payments – electronic payments and automated money transfers that don’t involve wire transfers, credit card networks or cash – be remitted to the new bank accounts.
Unfortunately, several distributors fell for the ruse. Combined, they sent approximately $110,000 in ACH payments to the hackers between their receipt of the email in October and the discovery of the fraud early the week of Nov. 10. The discovery was thanks to savvy research by the collections manager at the supplier firm. At the companies’ request, Counselor is not identifying the firms involved.

In investigating outstanding receivables the week of Nov. 10, the manager noticed that one of the distributors had indicated that it had already paid the invoices. The manager investigated and communicated with the distributorship, where representatives said the money was sent to the “new bank.” That raised a red flag, leading to further investigation and the unmasking of the hackers’ email for a fraud.

Similarly, the supplier manager also determined that another distributor that normally sends ACH transfers had not made any payments since September. A sizable amount of invoices were outstanding. The manager became concerned that this customer had also been victimized – fears that were confirmed through communications the manager had with the distributorship.
News of the cyber con comes just weeks after alphabroder (asi/34063), the largest supplier in the promotional products industry, had its order processing and shipping platform crippled by a ransomware attack. Ultimately, the Trevose, PA-based firm paid a negotiated ransom of more than $1 million. At the recent ASI Power Summit, CEO Norm Hullinger gave an account of the attack and how it was handled.

Over the last year-and-a-half or so, a growing number of industry firms have been hacked. In April 2018, Top 40 supplier Hit Promotional Products (asi/61125) was the victim of a malware attack that disrupted its computer systems. Around the same time, other firms fell prey to a phishing scam in which hackers, posing as customers, got employees to click on corrupted links that launched malware.

Don’t Be A Victim
While the latest hackers’ scheme involving ACH payments to a criminally-controlled bank account was cunning, it was not without “tells” that could have tipped off its illegitimacy. Here are nine tips on how this phishing scam and other cyberattacks can be sniffed out and protected against.
Be Suspicious Of Emails That Give Instructions To Change Payment Procedures: A legitimate supplier/vendor is not going to communicate a bank change on the fly, out-of-the-blue, through a single email. It’s typically a longer procedure with multiple notices, including traditional physical mail notifications. In this case, the supplier said its procedure on a bank change would have involved, among other things, notifying memos going out in invoices and letters in the mail. The communications would include a final date for remitting payments to the old bank; that date would be into the future from the notification dates – not an immediate change, sources said.
Verify Verify Verify: If a bank change or payment procedure alteration – especially one requesting money be sent to a different destination – is received via email, then employees who handle such things must know to contact the vendor to verify that the request is genuine. This means picking up the phone and calling the actual vendor who appears to be asking for the change. It can – and really should – also entail mailing a standardized form to the appropriate person at the vendor that asks them to attest to the veracity of the change request. This form should be filled out, signed and returned.

Utilize Email Protections As Bulwarks Against Hack Attempts: Companies should be using SPF, DKIM and DMARC protections. An SPF record – or Sender Policy Framework record – is used to indicate to mail exchanges which hosts are authorized to send mail for a domain. Companies authorize who can send mail on their behalf. DKIM – or DomainKeys Identified Mail – can detect forged sender address in emails, which are a common dark craft employed in phishing attempts and email spam. Finally, DMARC – Domain-Based Message Authentication, Reporting & Conformance – gives domain owners the power to protect their domain from unauthorized uses like email spoofing. Spoofing is the forgery of an email header so that the message appears to have originated from somewhere other than the actual source – i.e., making the email look like it’s from a real company when indeed it’s from a hacker.
Check Each Email Address: Look for misspellings or variations on familiar company names. Watch for additional letters, words or numbers in the email address. They could be a telltale sign of a scam.

Look For Common Phishing Lures: Oftentimes, hackers will contact companies/employees/individuals with a request that they click on a link or attachment to do things like update payment information, review an order, or check out an invoice. Before clicking, call the actual person that the email purports to be from to verify.

Educate Employees About the Risk: The threat from hackers is real and growing. Sophisticated criminal enterprises are daily bent on turning more companies and individuals into victims. In the case with the criminals posing as the supplier, it’s likely the hackers did ample research on the supplier and the companies they intended to victimize to ensure the bogus email would look legitimate – and that it would reach the right people at the distributorships who could enact the ACH wire changes. As such, it’s important that companies emphasize that employees be on the alert for anything suspicious in an email. This should include education on what to look for, with examples of phishing/spam emails shown. Companies should also enact formal policies for how employees should act when they believe they may have received a phishing/spam email.

Utilize Malware-Scanning Software: This manages anti-malware policies, routinely scans corporate systems and personal computers, and alerts your IT team when malware is detected.
Build Sturdy Firewalls: This protects networks that are configured correctly, continually patched and constantly monitored.
Have Anti-Virus Protection: Make sure it’s on all company computers, and that the protection is updated in real time and makes use of heuristics and behavior analysis. All systems, including third party software, must be up to date on patches and feature strong spam filters.

More tips can be found here.