- Статьи
- Society
- Yandex.Weather in the domain: fraudsters have begun to actively substitute payment details for companies
Yandex.Weather in the domain: fraudsters have begun to actively substitute payment details for companies
The substitution of banking details as another scheme of attacks on businesses is gaining momentum in Russia, cybersecurity companies told Izvestia. The number of such cases has recently increased by an average of 20-25%. Medium-sized and large structures with many counterparties and a complex approval system are under attack. Fraudsters remotely infiltrate the company, replace the details in the accounts and withdraw the funds received to other participating organizations. Details of the scheme can be found in the Izvestia article.
How scammers operate
Cases of attacks on companies using fake payment details have become more frequent in Russia, cybersecurity companies told Izvestia. According to Konstantin Larin, head of the Bastion cyber intelligence department, the number of such incidents has increased by an average of 20-25%.
"Such schemes are becoming one of the key threats to business in 2025," he said. — Intruders study the victim: who are the clients of the organization, its suppliers, with what amounts and under what contracts the company operates. Usually, open sources or data leaks are used to collect this information.
In addition, scammers often gain access to corporate emails by phishing or compromising an employee's account. There have been cases of registration of a domain name similar to the original one, on whose behalf the attackers are going to correspond — people fall for a trick with a similar email and communicate with hackers. It is also popular to integrate into existing correspondence or to imitate it.
The final stage of the fraudulent scheme is the substitution of account details and the withdrawal of funds received to other participating organizations.
BI.ZONE Brand Protection specialists have repeatedly documented similar schemes. Scammers are actively registering domain names that mimic the original ones.
—Most often, such domains are left without any content, so not all monitoring tools are able to identify them,— added the head of BI.ZONE Brand Protection Dmitry Kiryushkin. — As a rule, scammers use empty domains to organize an email service. A company from absolutely any field can become a target. One of the conditions is the availability of procurement procedures.
This factor, according to him, makes it possible for criminals to write a letter on behalf of a counterparty, imitating his mailbox address. Relying on the large flow of electronic correspondence that the employee processes, the attackers are betting on reducing his attentiveness.
"This allows fraudsters to substitute banking details in order to withdraw funds from the victim's account," he added.
Most often, medium-sized and large companies with many counterparties and a complex approval system are under attack. These are industries with increased transaction frequency, such as wholesale, logistics, manufacturing, construction, and IT. Such a scheme can affect any organization, but it is most often manifested in the industrial, manufacturing, oil and gas industries and in the context of companies engaged in the production of fertilizers, added Igor Sergienko, director of the Solar AURA External Digital Threat Monitoring Center, Solar Group.
"Any organization that interacts with other legal entities and pays for supplies using banking details can potentially become a victim," he said. — Sometimes attackers simply register a domain name to send mail, in some cases a full-fledged phishing website is created, on the pages of which the contact details are replaced with the attackers' contacts.
What other attacks are there on businesses
In addition to social influence, scammers use compromising employee accounts, hacking messengers, and falsifying documents.
— The substitution of banking details in business has been causing increasing concern in recent years: the number of attacks is growing, and the schemes are becoming more sophisticated, — said Konstantin Larin.
Other types of attacks can target a wide range of potential buyers of products. Or more complex ones, implying insider information about an upcoming major deal and "wedging" into correspondence on contract preparation, Igor Sergienko added.
— The latter are the most dangerous, — the expert emphasized.
In addition to the substitution of banking details, companies often face attacks through social engineering against accounting and top management, added Kirill Levkin, MD Audit Project Manager (Softline Group).
—There are widespread schemes for infecting computers with Trojans that track documents and payment transactions," he said. — Attacks on supply chains are also used — hacking counterparties through which they penetrate the IT infrastructure of the target company. There has been a noticeable increase in attacks using deepfake calls from "supervisors" asking them to urgently transfer funds.
Deepfakes and fake accounts in messengers are widespread, said Olesya Vlasenko, head of the Audit and consulting department at Lens.
"For example, faking the voice and video or the account of the head with instructions to transfer money," the expert pointed out.
How to secure a company
Since the introduction of payment mechanisms in which banking details do not need to be entered manually, attacks have been actively spreading, said Stanislav Kalabin, chief network architect of AxelNAC, Axel PRO. With the development of technology, in particular with the introduction of QR code payment - when all data, including the transfer amount, is substituted automatically — such incidents have become significantly more frequent.
— In the case of physical interaction, the use of dynamically generated QR codes on devices under the constant control of employees helps to reduce risks. This minimizes the possibility of substitution of banking details," he said.
However, in correspondence-related scenarios, technical solutions and products do not provide complete protection against phishing and spoofing. The level of awareness and digital hygiene of employees plays a key role here.
To protect yourself from such schemes, it is necessary to maintain a high level of vigilance, Dmitry Kiryushkin emphasized.
— Always check the name of the mailboxes: the phishing address may differ by only one character, — he noted. — In addition, companies that actively interact with suppliers should warn counterparties about suspicious resources and other attempts to imitate the company by attackers. This will minimize the risk of falling for the tricks of intruders.
Protection should be both technical, organizational and procedural, emphasized Alexey Ivanov, head of the penetration Testing department at Lens.
— Enter the "double check" rule for any changes to banking details: the change of banking details is only confirmed through a known and previously agreed channel: by phone, specified in the contract, not from a letter, — he noted. — Set limits for online transfers and a rule: any urgent transfers or transfers to new banking details require personal confirmation from the supervisor through two independent channels. For example, a call and confirmation.
Two-factor authentication should also be used and employees should be regularly trained in digital hygiene to reduce risks, experts stressed.
Переведено сервисом «Яндекс Переводчик»
