Cybersecurity experts have joined the call for organisations to protect themselves after Action Fraud issued a warning about a new scam.
The scam involves fraudsters registering domain names to look like they belong to UK university email addresses, with UK and European supply companies being defrauded out of vast sums of money as a result.
In one case, fraudsters imitating one university’s address led to a total victim loss of more than £350,000.
How the fraud works
This type of fraud, known as European distribution fraud, happens when a company from overseas (usually from Europe) delivers products to the UK, but isn’t paid for the goods or the cost of shipping.
Fraudsters are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk. These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name.
Suppliers will receive an email claiming to be from a university, requesting a quotation for goods on extended payment terms. Once the quotation has been provided, a purchase order is emailed to the supplier that is similar to a real university purchase order. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.
Director of Action Fraud, Pauline Smith, said: “This type of fraud can have a serious impact on businesses. This is why it’s so important to spot the signs and carry out all the necessary checks, such as verifying the order and checking any documents for poor spelling and grammar.
“We know that there is a lack of reporting by affected companies and without this vital intelligence, a true picture of EDF cannot be reflected.
“If you or your business has been a victim, report it to Action Fraud.”
Rashmi Knowles, EMEA Field CTO at RSA Security, says universities need to move quickly and notify users to mitigate damage effective and offering some advice for consumers on how to avoid being duped.
He said: “Time is of the essence for all universities involved here – they need to reach out and warn users of their sites. Unfortunately it is often very hard for an organisation to know if their site has been spoofed until someone has already become a victim, as is the case here with businesses being defrauded of hundreds of thousands of pounds. This is why all firms should be wary of these sorts of scams and make sure they fully verify the validity of a website or email address before engaging with a new organisation.
“Our advice to all businesses worried about these sorts of scams would be to, firstly, avoid clicking on links to websites from emails if it is from an unknown source.
“Instead, look up the website using an established search engine. Secondly, always be sure to check the site URL to make sure that the it is correct – often with spoofed sites there will be a few letters in the wrong place that will give clues that it is not official, as with these spoofed university sites, the devil is in the detail.
“Thirdly, check the address bar to ensure you are visiting a secure site and there are no warnings – although as we can see here, there are ways to fake this. Lastly, if you’re a business receiving a new order from a university and you have any doubts, then it’s best to try and call the company in question.”
Kevin Bocek, Chief Cybersecurity Strategist at Venafi, said the universities and other businesses affected by this scam were certainly not alone as spoofing sites is now big business.
“Last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cybercriminals, allowing them to appear trusted so that they can trick unsuspecting businesses out of huge sums and damage brand reputations across the internet,” he said.
“These attacks are part of a much larger problem that jeopardises the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed. These padlocks are supposed to signify a trusted machine identity – a digital certificate that means a website is genuine. But now cybercriminals can obtain certificates allowing them to look authentic for virtually nothing. This is a high risk, high impact threat that security teams cannot ignore anymore.”
Protect your business against European distribution fraud
- Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
- If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
- Check any documents for poor spelling and grammar – this is often a sign that fraudsters are at work.
- Every Report Matters – if you have been a victim of fraud or cybercrime, report it to Action Fraud online or by calling 0300 123 2040.