What is invoice manipulation? Invoice manipulation is the flip side of social engineering scams. In a social engineering scam, the insured’s company, or more specifically an employee, is tricked via a hack or phishing scam to voluntarily part with money, products, services, or goods. Invoice manipulation is more devious in nature. It happens when the customers or vendors are tricked into using legitimate email and data of the insured business to get the customer or vendor to alter a payment or delivery of products, services, or goods to the wrong location that is controlled by a bad actor.

Typically, a bad actor either gains access to an employee’s emails with a successful phishing scam or by breaching personal accounts and securing a work password. The scariest part of invoice manipulation is that it takes time. The bad actor sits and waits, watching the system, learning habits, and seeing all of the employee’s correspondence. They are specifically learning how the company and its customer or vendors work together. Then, they wait until the right time to ask the customer or vendor to change a payment via wire to a new bank or have standing deliveries redirected to a new worksite using the compromised account and then deleting the request and correspondence before the employee sees it.

Tips to Minimize Your Risk:

  1. Include a requirement in vendor contracts to do dual authentication for changes in ACH instruction.
  2. Require vendors to utilize two-factor authentication and two-step verification. The extra step can be a text, email, or security verification software before the vendor sends the payment.
  3. Whenever possible, configure your internet connection to always use HTTPS. This is the “https” that appears before the “www” in a web address, and the https is preceded by a padlock icon.
  4. Do not open unfamiliar emails. If you open one you think is from someone you know but realize it’s not, delete immediately. Do not click any links in the message or send the sender personal or banking information. Once you open that link, your computer could become infected by a phishing scam and your information stolen.
  5. Install anti-virus, anti-spyware, and firewall on your computer and keep them updated. Automated updates are the ideal choice.
  6. Do not log into your accounts from an untrusted computer (e.g., at the coffee house, library) or one that you don’t maintain (e.g., friend and family).
  7. Make sure your passwords, plus security questions and answers, are strong. Change your passwords every six months. Never use the same password for different accounts. A strong password has upper- and lower-case letters plus numbers and punctuation, forming a non-English word.
  8. Find out just how secure your passwords are. Some setups indicate strength with a rating of “weak” to “strong.” Always choose “strong.” If there’s no rating, go toHow Secure Is My Password to see how fast your account can be hacked.
  9. Your password should not be on the list of the most popular passwords. If yours is there, change it immediately even if you must give up an easy-to-type sequence.
  10. Enable two-step verification if you use Google for any activity. The two-step adds additional security to a Google account. After entering your username and password, you’ll then enter a code that Google sends out via voicemail or text when your sign-in. This will make it harder for someone to guess a password.
  11. Use a password manager. This service eliminates the need to type in a password at log-in; log-in with one click. A master password eliminates having to remember all your different passwords.

For advice, questions, and more ways to minimize your cyber risk, contact an MMA advisor.

Related insights