Companies supplying goods and services to universities are being warned to be vigilant.
Recent reports suggest that fraudsters are registering domain names similar to those used by academic institutions to send emails raising orders for high-value goods.
According to Action Fraud, criminals are using fake domains to request quotations for items such as IT equipment and pharmaceutical chemicals. Once a quotation has been supplied, a fake purchase order is emailed to the supplier, alongside instruction to deliver goods to an address, which may or may not be affiliated with the organisation being imitated.
Activity such as this is known as distribution fraud and in this latest blog, Andy Kays, Redscan’s CTO, offers his thoughts on the issue and how to minimise the risk of falling foul.
How can universities guard against fraud?
While in this instance, universities weren’t the direct victim of distribution fraud, fake domains can be used to launch many other types of attacks. For this reason, all institutions need to implement suitable security controls to detect and respond to malicious cyber activity that could negatively impact their finances and reputation.
Since they are a common target of fraudsters, universities should focus on improving staff and student awareness, including identifying common signs of fraud, and encouraging suspicious activity to be reported. Proactive network monitoring and implementation of stronger authentication measures across the supply chain can also help to significantly reduce risks.
Learn more about Redscan’s security solutions for education
How can criminals be prevented from registering fraudulent domains?
The current reality is that anyone can register a domain from anywhere in the world. Owning a company or trademark does not prevent others from using the same brand or a variation of it – ownership is determined by the highest bidder. For cybercrime to be reduced, more pressure needs to be placed on ISPs to verify that people setting up domains are doing so for credible purposes.
WHOIS, the system used to store the registered users of website domains, was once invaluable for helping to trace and track the individuals behind attacks such as phishing and spamming.
Given that personal information has been taken down from WHOIS, following the introduction of GDPR, we now need an accreditation scheme that enables special interest groups such as the police, security researchers and journalists to access personal data in WHOIS records for the purpose of tracking down fraudsters.
What can suppliers do to avoid fraud?
To minimise the risk of fraudsters setting up fake domains, organisations should try as far as possible to ensure that they register as many top-level domains linked to their business as possible – such as .co.uk, .com, .biz etc.
Using DMARK and SPF to publicly state which domains are being used to send emails can also help organisations to validate genuine communications from those that aren’t.
Improving employee education to be able to identify fake correspondence is vital to reducing online fraud. Before processing orders for new business customers, always make sure that due diligence is performed to verify and corroborate details. This includes checking that a person is who they say they are.
Criminals will often use a variant of an organisation’s official domain e.g. @universityname.admin.ac.uk as opposed to @universityname.ac.uk. It’s therefore advisable to perform some background searching and check details against those listed on prospective customers’ websites.
Branding inconsistencies such as different fonts, logos, colours, all of which may indicate that scammers are trying to copy a real brand. Spelling errors are also a tell-tale sign that it might be a spoof site created by fraudsters.
One final piece of advice is to ensure that instances of online fraud are always reported to the authorities. Online fraud is still underreported and is vital to help prevent others from falling victim.
Disover our full range of security services
What is purple teaming and how can it strengthen your cyber security?
Redscan announces availability on G-Cloud 10
EPP vs EDR – what’s the difference?