Digital Fraud – Real-life Examples
Lately we have frequently been talking about the issues surrounding digital fraud, but it would be worthwhile to clarify exactly what digital fraud is and to show you what it looks like in real-life.
Here are three examples of genuine cases that have affected companies around the world.
1. Fake News
Friday 11th October 2013, a couple of seconds before 10:18. Cision (an information and news distribution company) release a news story: ”Samsung Electronics acquires Fingerprint Cards AB”. In the accompanying press release, it’s revealed that Samsung have bought Fingerprint Cards for US$650 million, in an agreement between both parties.
The important detail? It’s a total fabrication.
In this example someone succeeded in finding a gap in Cision’s procedures for dealing with urgent press releases. At the time of the fraud, Cision’s customers could use a service called Assistance, to send in their own press release, along with contact details of the person in charge of the company. The fraudster understood the system and figured out a way to exploit it. A few days previously, they registered the domain fingerprint-cards.se to use in the fraud. They then sent in a forged press release, with the CEO Johan Carlström as contact person, together with a credit card number and postal address.
Cision rang the number that arrived with the press release and a man, who identified himself as Carlström, confirmed the details. From there, the fake press release was disseminated nationally and internationally. As a result Fingerprint Card’s share value on the stock market shot up in just a few seconds.
This is an example of how a domain name can be used to spread what we today call Fake News.
Security company RSA were the victims of a well-known phishing case. In 2011, a handful of employees received a mail with an attached Excel document – ”2011_recruitment_plan-xls”. An unsuspecting employee opened the document which contained a piece of malicious code – or malware as it’s often known.
Through the malware, the attacker was able to take control of the employee’s computer and venture deep into the company’s security system. The company’s encryption technology SecurID was the target. The fraudster succeeded with the attack, so ironically a company specializing in internet security became a high-profile victim of digital fraud – all because of a phishing email.
Phishing is a well-established method of attempting to access sensitive information and/or spread damaging code through the internet. In short, it involves the victim handling sensitive information in what they mistakenly believe is a secure way. Often an attacker will send out an email claiming to be from, for example, the target’s bank, and ask them to confirm their internet banking details. This could be the log-in details, which would then be used to empty the victim’s account.
3. CEO Fraud
Perhaps you’ve heard of CEO fraud before, where a fraudster might pass themself off as the CEO of a company and, for example, ask the head of finance to send them large sums of money. This is exactly what happened to Billerud Korsnäs, a Swedish packaging company with billions of kronor in revenue.
The year was 2016 and a fraudster passed themself off as Billerud Korsnäs’ CEO Per Lindberg. The communications appeared so authentic that they convinced an employee to make three large payments into the imposter’s account. The total amount came to 50 million Swedish Kronor (just over US$6 million at the exchange rate of the time). The company managed to drag back the money sent out in the final installment – at 25 million Swedish Kronor that was the largest of the payments.
What happened here was a well-planned and well-implemented CEO Fraud (also know as Fake President Fraud or Business Email Compromise). A criminal was able to convince a high-level employee to transfer large amounts of money without attracting any suspicion.
This is obviously a shocking example of what can happen if you are not attentive or do not have adequate procedures in place for dealing with similar situations. It is therefore important that you know how to protect yourself against online threats and risks.
After reading this you might be wondering how you can best protect yourself. We’re happy to give you three helpful tips:
- Internal processes and education. Make sure you have clearly defined internal processes for how you should deal with high-risk situations that every employee understands them. Educate your personnel about how different types of fraud can be executed on the internet. It’s also a good idea to have processes in place for dealing with your intellectual property (IP) to ensure that everything happens in an effective and safe way.
- Ensure correct ownership. Ensure that the ownership of your domains and other intellectual property is accurate and up-to-date. This can minimize the risk of third-parties using your name in a fraudulent way, which can deceive other people and damage your brand. In example, we recommend that you own regional domains for the markets you operate in.
- Monitor domain registrations around your trademarks. Monitor the registration of domains similar to your trademarks from third-parties – this way you can act quickly if someone intrudes or illegally exploit your brand.
If you suspect that you or your company are vulnerable to fraud or if you want our experts to draw up a pro-active preventative strategy, don’t hesitate to get in touch at firstname.lastname@example.org or call us on 040-613 09 00.
Sources (in Swedish)