Cyber attackers take on the appearance of bosses and give orders

Note: This original article was published in Hospodářské noviny

In the past year, the number of attacks where hackers attempt to convince employees to divert large sums of money or disclose sensitive business information from the companies they work for has skyrocketed. Their methods are so sophisticated that even members of the company's senior management, such as financial directors, fall for them. 

By using videos from social networks, they can mimic the face and voice of anyone in a video call, making the employee feel they are receiving orders from even the head of their company. "They’ll also send an invoice with a changed account number," said Jakub Javorský, Senior Manager of the Forensic Technology Department at PwC.  Together with his colleague Kateřina Halásek Dosedělová, Forensic Services Director at PwC, they’re increasingly dealing with such cases. Halásek Dosedělová added, "Defence lies in regular employee training or setting up payments with deferred maturity." 

Javorský: The survey revealed that the most common type of cyber fraud is hacker attack. Methods are increasingly sophisticated, and often they are carried out by an external attacker, either working alone or in cooperation with an employee, and they persuade an employee to send money from their employer. The hacker then diverts money offshore or converts it into cryptocurrency. 

In the last two years, at least one attack was experienced by 43% of companies in the Czech Republic. There has been an enormous increase in the number of cases. A similar survey two years ago showed almost half this frequency, with only 25% of companies affected.

Halásek Dosedělová: This anonymous survey includes 232 organisations from Central and Eastern Europe across various industries. It’s a long-running survey we’ve been conducting since 2003.

Javorský: The pattern is always the same. Under a false pretext, the criminal convinces someone to send money out of the company. New technologies have significantly enhanced the effectiveness of these attacks. Before, the attacker would just call employees, adopt a convincing voice, and deceive them over the phone or via email. 

With the advent of smartphones and applications, however, the focus has shifted to WhatsApp and with the emergence of deepfake technologies that can mimic voice and image. So, the focus of this type of attack has moved to videoconferences.  

Employees can’t tell whether they are actually speaking with their superior or if it is a real-time manipulated video and they are speaking to a completely different person. Attackers can also combine all these methods to convince employees that it is an urgent, confidential operation and that they must immediately send money out of the company. 

Sometimes perpitrators they only use email and fake invoices with changed account numbers, so the employee thinks they are conducting a regular business transaction, such as with a supplier. However, this can be an orchestrated operation from the beginning, where they are dealing with fictitious people from a fictitious company.

Javorský: An attacker can craft an email so it looks as though it comes from your company or a real customer. They also exploit human inattentiveness and create email addresses that look very similar.

Halásek Dosedělová: Sometimes there's just a single extra letter, perhaps at the end, so an employee would have to click on the email address to notice.

Javorský: Yes, exactly. Sometimes the attacker gathers information from the outside, but in many cases we investigate, it's quite common that the attacker has a conscious or unconscious accomplice inside the company. This can be a disgruntled or former employee.  Sometimes these employees or ex-employees do it intentionally, motivated by enriching themselves or seeking revenge. Sometimes they assist the attacker entirely unknowingly. 

It might also be a business partner, or someone within a company who is inattentive or unhappy and brings an external perpetrator into the process. There are even cases where an employee, either from your company or a connected company, orchestrates the whole thing, creating external email addresses, and organising the entire attack. 

Halásek Dosedělová: In many cases, perpetrators gain access to sensitive data through a data breach, which the affected company may not be even aware of. Most companies also try to present themselves on social media, posting videos and information about planned projects, which attackers then use to boost their credibility.

Halásek Dosedělová: They build trust with employees and put them under time pressure. They emphasise that the matter must not be discussed with anyone else as it’s a strictly confidential project within the company or is a group they’ve been specifically chosen to participate in. 

Unfortunately, human psychology works in such a way that employees feel part of something intriguing, making them more willing to break rules they learned from internal training, where they are taught to stay vigilant and immediately report unusual situations. We've seen situations even at the highest levels of company management when managers are promised, for example, a new role within the group. With such a promise, vigilance rapidly declines.

Javorský: Planning an attack is easier than one might think. Even ChatGPT can provide a guide. That's why we’re now seeing such a significant increase in the number of attacks.

Javorský: The common characteristic of most attacks is urgency, creating a sense of exclusivity in the employee, that only they have been selected for the task, and that they should not consult regarding it with anyone else in the company.

Halásek Dosedělová: This should immediately raise suspicion and questions like: Why shouldn’t I talk about my task with anyone? It is also typical to escalate demands and pressure.

Javorský: Another warning sign is someone contacting you via WhatsApp or video call. It’s not a channel from your corporate environment. However, this is challenging for small and medium-sized companies that don't have this corporate environment, where it's common for everyone to communicate via a work WhatsApp group.

Halásek Dosedělová: We had a case involving a high-level manager who was new to a company. He was undergoing training, including on deepfake technology. Attackers first contacted him via SMS, then WhatsApp, and finally through a Teams meeting. They told him he was chosen to participate in a new project and lead its communications. They sold him a vision that he would gain a higher position and increased rewards. 

They convinced him to finance a specific group-approved project. This managed to bypass relatively well-set internal rules and convinced his subordinates they had to process these payments. After about the fourth payment, employees found it odd, began to investigate what was going on, and reported it.

Javorský: These technologies are highly advanced. Attackers need only about a minute of original video footage featuring a certain person to create a convincing copy. There are plenty of videos of directors giving motivational speeches on LinkedIn. You don’t even need special hardware, just a powerful laptop. Moreover, guides are available on the internet.

Halásek Dosedělová: During online conversations, people seldom pay attention to details, being more focused on the sudden situation that requires action under time pressure. Signs of deepfakes include unnatural movements, irregular visibility of eyeglass frames, and the like. But often employees don’t notice these details.

Javorský: Moreover, such online calls function in real-time. There’s no delay and a computer can redraw your face within milliseconds.

Halásek Dosedělová: It depends on the company's internal regulations. They might state, for example, that payments above a certain threshold must be approved by two independent individuals. 

Legally, it depends on what type of violation occurred. Sometimes a bank can halt the payment, but generally, fraudsters attempt to process everything in a single day and quickly redistribute the money. Compensation is then sought from the employee, but according to the labour code, there's a maximum amount, dependent on the monthly salary, up to which damage can be claimed. 

There are insurance policies against these types of cyber fraud, and damages might be covered if policy conditions are met. In many cases, it means simply writing off the loss, which can be disastrous for smaller companies.

Javorský: A common type of fraud also includes invoices with a different account number, as previously mentioned. If it's proven, and we've managed to do this a few times, that an employee was involved in sending the fraudulent invoice, you might try to recover damages from them. 

Halásek Dosedělová: Regular employee education is crucial. And not just for new hires. Training should occur at least quarterly, and continuously via email, informing people about the current types of fraud spreading in cyberspace and how to look out for them. Furthermore, employees should be encouraged to promptly inform a superior if something seems off in dealings with anyone and to not hesitate in reporting suspicions.

Javorský: Different types of penetration tests can be conducted depending on a company's size. Phishing exercises can be a good method of prevention. Someone might write to employees on WhatsApp or call them from an unknown number to test their reaction. It tests employees with the capacity to transfer larger financial sums from the company. This can also be shown in training settings, demonstrating in meeting rooms what forms such an attack might take.

Halásek Dosedělová: However, a mock attack needn't immediately involve transferring money, but might test whether sensitive company information is disclosed. For example, someone calls, introducing themselves as a director from their parent company or another person from the firm they know but have never spoken with. 

Often, they don’t verify if the caller was genuine and freely share this information. They feel uncomfortable saying: "I'm sorry, but I can't disclose this information over the phone without consulting my superior," and try to avoid it. 

Javorský: Properly configure payment approval processes. At least, for example, payments over a certain amount should be approved by at least two people from the company to ensure that if one falls victim to scammers, the other can stop it or at least consult with other colleagues about it.

Halásek Dosedělová: Or, instant payments above a certain amount can be arranged so they can’t be executed instantly. They can allow for at least a two or three-day maturity period. Most payments aren't urgent, and money flows are planned and known in advance. 

If there’s a time buffer for maturity, many people might recognise warning signs the next day, consult them with a colleague, and often, the payment can be stopped. Also vital is how management approaches this topic. If they simply say it can't happen to us, prevention won't work in such an environment. Management must stand behind prevention, serving as a role models for employees.

Javorský: Yes, we recently dealt with a case where a financial director was duped into sending money from the company to attackers. The company wrote off the amount. 

Meanwhile, as he communicated with the attackers, he exchanged documents, opened PDFs, clicked on links, and attackers used these materials for further attacks. They accessed his email communications and found with whom the company traded, what the invoices looked like, and what projects were being handled. The attackers even struck the company's business partners, knowing exactly which products to discuss, when trucks with goods should arrive, and so forth, making it exceptionally convincing. Thus, after an attack, it’s crucial to figure out which data might have leaked further and mitigate potential future breaches.