Logo of Phnom Penh Post newspaper Phnom Penh Post - Fake billing, invoice hack attacks targeting Kingdom

Fake billing, invoice hack attacks targeting Kingdom

Content image - Phnom Penh Post
Motorists ride past the telecoms ministry headquarters in the capital. Hong Menea

Fake billing, invoice hack attacks targeting Kingdom

The Ministry of Post and Telecommunications on May 23 issued a statement expressing concerns about cyberattacks in the Kingdom, calling for greater vigilance to thwart the rise of hacking attacks aimed at the private sector.

The statement said there had been a number of business email compromise (BEC) scams aimed at stealing cash by sending e-mails for payment invoices for transactions to overseas companies.

“The scam is particularly prevalent in the private sector, with cybercriminals hacking a company to study their business practices and records and then attacking the targeted entities by sending e-mails that appear to be invoices from known and legitimate sources,” it said.

This crime is often named in US laws as “theft by swindle”, meaning it is a theft that takes place by “swindling” – that is, tricking – the victims somehow rather than using violence or breaking an entry.

The Kingdom’s Criminal Code refers to all such thefts that rely on subterfuge or gaining the victim’s confidence first as forms “fraud” with different severities as defined in Chapter Two, Article 377.

The ministry said that hackers or sometimes organised groups of hackers will hack a company and gain access to their computer network and then research it and its employees carefully.

They then wait for the right moment to execute their plans, which usually involves submitting fake invoices with large payments due, or they may impersonate the company’s CEO or another executive or contact those corporate officers pretending to be a trusted vendor or business partner and then request a transfer of cash to an overseas account or request that payments for goods and services in the future be routed to a new bank account.

The groups often complete the deception by first hacking the network of the businesses on both ends of the transaction so that they are able to send a 100 per cent legitimate-looking request from one company to the other using the correct paperwork, employee names and even their real email addresses. This makes it a very difficult scam to defend against for companies that regularly make significant expenditures with dozens or sometimes even hundreds of vendors or service providers.

The ministry advised users to be extremely careful with measures such as carefully checking and verifying the names and email addresses, or to inquire by phone in case of suspicion even if the email from known people.

The ministry advised that all companies be very wary of all e-mails requesting a change be made to account information for cash transfers and to be sure to institute procedures and protocols that require employees to confirm or verify requests to change account information directly with individuals or business partners through means other than e-mail, such as phone calls, for example.

And after that they should consider going a step further and – without making mention of their intentions to do so while speaking to their business contact – try phoning their company’s security or IT department following that conversation and request that they independently verify the legitimacy of the transaction before allowing it.

And, the ministry noted, any company tricked in one of these scams should contact the bank immediately if they find out that they have been cheated and try to have the transaction reversed or frozen while also filing complaints with the police and other authorities if they ever want to find the hackers responsible and have them punished.

Independent digital security consultant Nget Mose said the reason for the increase in cyberattacks in Cambodia was because the sector’s development was still limited in terms of digital laws, tools and literacy, which made Cambodia an easy country to target for attacks via emails.

“The global trend of cyberattacks to steal or launder money is increasing everywhere, not just in Cambodia, but they are succeeding here at a higher rate than we’d like to see because our digital security infrastructure is still limited,” he said.

He added that in order to protect their businesses from these attacks, the private sector should have security management plans in place and build staff capacity in digital resources while implementing tighter protocols with multi-factor or multi-step verification or approval for certain highly sensitive data such as bank account information and other payment processes.

The ministry urged the public to get more information about such cases on the website of the Cambodia Computer Emergency Response Team Office (CamCERT) under the ministry’s Department of Security, Information and Communication Technology at www.camcert.gov.kh

They can also get more technical assistance and report illegal activity by emailing [email protected] or calling 023 722 391 / 016 851 678.

MOST VIEWED

  • ‘Education’ a priority traffic-law penalty

    A top National Police official on June 21 neither rejected nor confirmed the authenticity of a leaked audio message, which has gone viral on social media, on a waiver of fines for a number of road traffic-related offences. General Him Yan, deputy National Police chief in

  • Pursat Ford assembly plant opens

    The Kingdom’s first Ford assembly plant was inaugurated on June 16 in Pursat province amid rising demand for brand-new vehicles among Cambodians. The facility is seen as a game changer for the domestic automobile industry, which could bring a wave of investors seeking to cash

  • Siem Reap’s $18M zoo said to educate public, help wildlife

    Angkor Wildlife and Aquarium Co Ltd has invested $18 million in a zoo in Siem Reap province, which will be opened in October to educate and promote animal conservation as well as attract national and international tourists. Currently, the Angkor Wildlife and Aquarium is building the

  • Angkor photo rules clarified

    The Apsara National Authority (ANA) denied that it had banned the use of camera tripods in the Angkor Archaeological Park, explaining that the confusion stemmed from a long-standing rule which required commercial photographers and videographers to apply for permission to film. The explanation followed a

  • $50B infrastructure plan en route

    The government’s upcoming $50 billion,10-year infrastructure master plan will provide tremendous investment opportunities for domestic and foreign entities, transport experts and economists say. Minister of Public Works and Transport Sun Chanthol revealed the plan to Japanese ambassador to Cambodia Masahiro Mikami on June 15. At

  • Volunteer scheme to foster ‘virtuous’ humanitarian spirit

    A senior education official said volunteer work contributes to solidarity and promotes a virtuous humanitarian spirit among the youth and communities. Serei Chumneas, undersecretary of state at the Ministry of Education, Youth and Sport, made the comment during the opening of a training programme called “