Detect phishing attacks and protect valuable data Part I

An elementary prerequisite for the acceptance of electronic invoice processing in business and the public is trust in security. Fraudulent practices such as spying on invoice contents and their falsification by the so-called phishing fraternity undermine this trust. Professional solutions for the legally compliant and secure exchange of sensitive data makes life difficult for fraudsters and can save you enormous costs and a lot of time.

Electronic invoices are becoming increasingly important in public administration and also in the B2B sector. The interest of contract and communication partners in the security of these invoices is correspondingly high. After all, by spying on invoice contents in the open communication traffic of the Internet, criminals not only gain access to personal data upon which they can draw conclusions about supplier relationships and business secrets of the companies concerned – worse still – they can use this knowledge to forge invoices through phishing or to spread malware. It is usually very difficult for the recipient of a forged invoice to recognise it as such, and once the invoice amount has been transferred, the money is usually irretrievably lost. Senders of electronic invoices should therefore always ensure that they use appropriate encryption technology – even when sending non-critical invoices. In the past, using tools to ensure privacy and security was often inconvenient and impractical. However, using Managed File Transfer technology now makes this a breeze.

• The increased interest in data protection and security is not simply a self-purpose, but rather serves to anchor electronic invoice processing in the operational exchange of services. It is therefore not a question of hindering the triumph of electronic invoice processing, but of helping it to achieve a breakthrough in practice.

What are phishing e-mails?

Companies and private individuals repeatedly receive fake invoices by e-mail from supposed companies or even on behalf of real existing companies. Some of these e-mails, the subject of which for example, refers to an allegedly unfeasible account debit, have the aim of spreading malware. Others serve to collect the invoice amounts on the basis of the fake invoices by manipulating the bank details accordingly. The fake invoices appear very authentic in most cases. They often skilfully imitate the corporate identity of well-known banks or companies, are usually written in almost flawless English and create different levels of threat in the event that the invoice is not paid within the set period (legal proceedings, involvement of a debt collection agency, et al). However, the e-mails are often simple in appearance and without any corporate identity. The threats outlined above, however, scare the recipient sufficiently to persuade him or her directly to transfer the amount of money requested.

For this purpose, complete personal data records (first name, surname, address and telephone number) of the invoice recipients are used almost exclusively. Affected bill recipients who subsequently reported the fraud case could verify and confirm this. If the e-mails were not only intended to obtain the invoice amount by fraudulent means but also to distribute malware, this can be hidden either in the e-mail attachment or behind a download link. In Part II of this blog, we describe in detail how a phishing e-mail is structured and how the fraud process works, using an example of a fraud case. It goes without saying that you should neither open the attachment nor click on the link.

A digital signature for e-mail invoices is hardly sufficient to prevent the receipt of such fake invoices by e-mail. For higher invoice amounts, the fraudster will incur the expense of signing the fake invoice. In this case, the responsibility lies with the sender of an invoice, who must ensure in advance that their invoices are transmitted exclusively in encrypted form. Only via encrypted transmission with a separate password (e.g. via SMS dispatch), as used by SEEBURGER for our Managed File Transfer solution, is the sending of invoices secure. In our blog ‘STOP: The risks of using FTP and Email for the Transfer of Sensitive Files’ you can find out about secure alternatives.

Conclusion

SEEBURGER provides the Invoice Delivery Service for the secure sending of invoices. For this purpose the invoice recipient receives a link to the secure download. With this link they register with a user name and password. They receive the latter via a separate communication channel (e.g. by SMS). They can then download the encrypted invoice. With the e-invoicing solutions from SEEBURGER you are always on the safe side.

With the proactive use of SEEBURGER technologies, such as the Invoice Delivery Service, the Invoice Portal Service or the SAP integrated solutions Purchase-to-Pay and smart-e-Invoice-Outbound, such fraudulent cases can be vastly mitigated against.

A professional Managed File Transfer solution for the dispatch of personal data, as well as an e-invoicing solution for your electronic invoice exchange, provides security, transparency and traceability when transferring your sensitive digital documents.