scientific and technical website design projects news

Security bulletin: Fraud against learned societies

Online fraud has hit pandemic proportions over the last two years. The increased volume of attacks is annoying, but profiling techniques are making these attacks a lot harder to spot, and societies are being targetted…

Learned societies face some unique challenges in combating fraud:

  • The executive officers for the society typically carry out their duties in their spare time, and consequently communications between them rely on email …
  • Background details for the executive officers are easily obtained through the society website, their academic website pages and from any social media presence they might have.
  • The details of any conferences or meetings being run by the society are a matter of public record (you are advertising them) – so a short list of likely financial transactions can be compiled.

A recent attack started with a personal email purporting to be from the chairman to the treasurer – apparently harmless, it asked how the treasurer’s family was in passing. This reference encouraged the treasurer to believe that the email address was genuine, while in fact the personal information mentioned in passing had been scraped from social media. Subsequent emails asked about how the society’s audit was proceeding, and finally asked the treasurer to pay the audit team using the bank details provided.

The sum involved was not astronomical, but a nice fee for an hour’s work profiling the executive committee, and a couple of email messages. In this instance the plan was foiled because the treasurer cc’d the chairman’s genuine email account into the last email confirming that he had made the payment. Thankfully the chairman was also working over the weekend, spotted the email, and got in contact in time to get the transaction reversed.

Why did the attack come so close to working?

The attacker used a reasonable email address in the ‘from’ email header. It looked like a genuine University address, but did not actually exist. This email would not be used in any communications with the fraudster as the ‘reply to’ address (which you will often not bother to look at, but it is what your email client will communicate with) was something entirely different. Note some email clients will pick up on this and flag a possible phishing attack.

The attacker inserted some personal details into the email from Social Media that encouraged acceptance of the email at face value. Typically executive officers only meet up a couple of times a year, so the attacker does not need to know the target’s personal life in depth (do you remember what you said to the chairman after the conference in September 2020 anyway;-).

The attacker worked on a weekend. Society executives will typically work weekends, as they are trying to fit Society work around their day job; but this is likely to delay any response from your bank, and increase the chance of the attacker getting away with the cash…

Is it only the treasurer that should be alert?

Generally a fraudster is after money, so the treasurer is the most attractive target within the Society. The Society’s membership details can also be relatively easily monetised, however. Loss of this information would open the Society to the possibility of blackmail, but the information can be leveraged with very little risk by sending your members bogus requests for membership or conference fees…

How would you stop this attack?

To prevent this sort of attack you need a means of confirming the identity of the person you are communicating with. You can go down the root of WW2 spies and issue pass-codes or one-time pads to your executive (there are modern equivalents, for example 2 part authentication, email authentication etc. but they are not as easy to deploy), or you can arrange a brief video call, which raises the bar for any imposter, even in these days of fake news…

It is a very rare occasion that a transaction is so time critical that it cannot wait a couple of days for you to schedule a video call. If it is the chairman will probably want to discuss it face to face anyway!

See also: The other virus pandemic

Barry Kaye, July 22nd 2021