The ever-evolving thefts that businesses face in the cyber landscape are increasingly taking the form of “social engineering” and “invoice manipulation.” A recent string of such attacks has hit equipment and event rental businesses, and those in the industry are encouraged to be on their guard.
“There are two different forms that I’m seeing — social engineering and invoice manipulation,” says Alastair Jones, owner of J.A. Jones Insurance, Austin, Texas, and an ARA Insurance preferred agent. “This has happened to five of my insured customers since Thanksgiving. It seems that right now, the only ARA [American Rental Association] members that are getting hit are in Texas, but it’s going to travel. Especially since the thieves have had success in getting money.”
The Cybersecurity & Infrastructure Security Agency (CISA) describes a social engineering attacker as someone who seems respectable and possibly claims to be, for example, a new employee or repair person, even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network.
This is the kind of infiltration that happened to at least one of Jones’ rental business clients.
“Someone broke into an event rental company’s email and sent a message to a large tent customer of theirs, saying, ‘We’ve changed our banking information. Can you send the money for the invoice that you owe us to this new account?’ And the customer did. $350,000 went to a nefarious bank account. So, the customer still technically owes the rental store the money. The rental store now has to rely on their customer to either pay again or have the insurance coverage that will pay for this,” Jones says.
Lawinsider.com explains invoice manipulation as the distribution of any fraudulent invoice or fraudulent payment instruction to a third party as a direct result of a security or data breach.
This type of manipulation also has been seen in rental businesses, according to Jones.
“An example of this would be if someone broke into the network of a product supplier to a rental store,” he says. “A rental company who ordered product from that supplier might receive an email from them saying, ‘Congratulations on purchasing these two new machines. Here is how you pay your invoice.’ Everything in the email is exactly like what the supplier would typically send out. So, the rental store pays the invoice, and it goes to the bad guy’s account. Then, the supplier calls up the rental store a few weeks later saying, ‘We never got your money. You still owe us $100,000.’ This is a massive problem for our insured customers because, in this scenario, they could be out $100,000 and the supplier can only say, ‘I’m sorry, but you still owe us the money.’ And the rental store’s bank can’t help because the money has gone out. So, it’s painful to our customers — a $100,000 pain.”
Jones says rental companies who fall victim to such hacks suffer in a number of ways.
“It takes months to get these things taken care of,” he says. “Every time I get a call from a customer impacted by this, they are frantic because they don’t know what they can or cannot do. There is embarrassment, there is fear and there is definitely anger. The FBI is involved, they have to shut down their system and they cannot take any orders until they’ve got an IT forensic team to go through their system to find the problem and clear it out. And it often requires them to have all kinds of changes and different emails.”
To avoid being a victim of these kinds of cyberattacks, CISA offers several recommendations, including:
Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. Don’t send sensitive information over the internet before checking a website’s security.
Pay attention to the uniform resource locator (URL) of a website. Look for URLs that begin with “https”— an indication that sites are secure — rather than “http.” Also, look for a closed padlock icon — a sign your information will be encrypted.
Implement multi-factor authentication (MFA). Authentication is a process used to validate a user’s identity. Attackers commonly exploit weak authentication processes. MFA uses at least two identity components to authenticate a user’s identity, minimizing the risk of a cyberattacker gaining access to an account if they know the username and password.
Click here to view more of CISA’s tips on spotting and avoiding social engineering attacks specifically, and here to view their recommendations to improve your organization’s overall cybersecurity.
Also, as a means of helping members counter ever-evolving threats posed by cybercriminals, ARA has introduced a new partnership with Network Coverage, a firm that provides information technology solutions and managed services.
Through the partnership with Network Coverage, ARA members can receive:
A complimentary two-hour cybersecurity consultation, including a risk assessment questionnaire/scorecard for the member to use without additional obligation. After the consultation, members will be eligible to receive an in-depth cybersecurity audit at a discounted flat rate.
Access to an annual cybersecurity webinar.
Access to additional content distributed to ARA members on preventing cybercrime in your rental business.
For more information on this resource, contact ARA member services at 800-334-2177.