Preventing Cyber Crime & Fraud: Invoice Fraud & Man-In-The-Middle attacks

Preventing Cyber Crime & Fraud: Invoice Fraud & Man-In-The-Middle attacks

This advice has been collated by East Midlands Special Operations Unit (EMSOU) to raise awareness among businesses and the public.

If you require any further information, assistance or guidance please contact the EMSOU Protect Team EMSOU Protect Team or your local Force protect team.


Invoice Fraud

EMSOU has noted an increase in Invoice Fraud. Essentially, this is when someone requests services from a legitimate organisation and then receives an invoice. Further down the line, the victim then receives further demands for payment. This is because a criminal has either intercepted communications between the victim and the vendor and is attempting to exploit it for personal gain, or because they have assumed that you have – at some point – taken advantage of the vendor’s services.

How to mitigate Invoice Fraud

Easy – we encourage every organisation to print a message like this on the bottom of every invoice sent. The key point, is to encourage customers to use the contact details shown in the initial /original invoice to make contact, otherwise they could be calling the fraudsters!


Man in the Middle Attacks (MiT)

In a Man-In-The-Middle attack is when a malicious individual sits between two communicating parties and intercepts all communications. Usually, the attacker has managed to slip between the sender and recipient before they’ve had a chance to set up any form of encryption – which means anything and everything done online is entirely visible to the attacker.

How does the attack work?

There are multiple ways to create a man in the middle set up.

Malware attacks

One common attack method is for a victim to be sent an email. The email usually contains a link that when clicked, appears to take you to a legitimate site.

Unfortunately, the website is anything but, and will promptly download malicious software onto the user’s device if it’s vulnerable to attack.

This malware records any data being sent between the victim’s browser and a website of interest – such as financial institution. The data is then transmitted to the attacker who will use the information for personal gain.

Wi-Fi attacks

In another type of attack, the cybercriminal will intercept communications by attacking a vulnerable Wi-Fi router. This might be a hub found in public areas or even in someone’s home.

The router is scanned for security vulnerabilities such as a weak password and then, using freely available software, the hacker will intercept and read transmitted data such as log in credentials, banking details, and other sensitive information.

It is also possible for an attacker to set up their own Wi-Fi hotspot, giving it a legitimate name to encourage unsuspecting users to connect. As soon as a victim uses the connection, any online activity is compromised.

Email hijacking

This involves a hacker infiltrating an organisation’s email account. They will read emails and eavesdrop on communications. At some point, they move from listening to faking (or ‘spoofing’) messages. These messages appear legitimate and ask customer to send money or sensitive information.

ARP attacks

Being able to send and receive messages requires two types of addresses. An IP address – this might get a message to your place of work, and then a MAC address – which might get the message to your device, rather than anyone else who happens to be using the internet at the same time. In an ARP attack, the hacker convinces the router that the IP address should be turned into their MAC address – not yours. The router then tells every other device on the network about this change, meaning the attacker gets to see the victim’s traffic lock, stock and barrel.

DNS attacks

This is very much like an ARP attack. Let’s say we are using the address Now a DNS Server is supposed to turn this web address into an actual IP address to send all your traffic to – in this case – your bank. But what if I can corrupt the way the DNS server works and tell it to turn this web address into my IP address and not the legitimate one? The victim is then forced to visit my fake website and interact with me.

How to mitigate the risks of MiT attacks

Avoid public Wi-Fi

Especially if you intend to conduct sensitive transactions or correspondence. In fact, it is a good idea to turn your Wi-Fi off altogether when you are out and about to prevent unintended connections. If this is not an option, then consider purchasing a VPN and leaving it turned on. A VPN will encrypt traffic so that even if your connection is compromised, the attacker is unable to decipher what is being sent. Employees that work on the go need to understand the dangers of public Wi-Fi and the importance of securing a connection using a company sanctioned VPN.

Harden your router

Most internet service providers have help pages and even video tutorials demonstrating how to rename your Wi-Fi. This hides the make and model of the hub, which makes it more difficult to attack. You should also change any default usernames and passwords, because these are easily researched by attackers. Finally, it is possible to encrypt all communication between an electronic device and a hub by setting up ‘WPA2 Personal’ for home users and ‘WPA2 Enterprise’ for organisations. Businesses in particular, should be mindful of how far a WiFi signal extends beyond the premise and the importance of conducting a site survey to check signal strength and the presence of an ‘evil twin’ or ‘rogue access points’.

Harden your device

Check if your browser is up-to-date by visiting a reputable site such as Additionally, always update your device as soon as possible to make sure that it is not vulnerable to attack. Using an antivirus and a firewall product from a reputable company will also go a long way to providing peace of mind – especially as most MiT attacks rely on the installation of malicious software.

Be wary of phishing emails

Unexpected emails requesting you to update your password or any other login credentials should set alarm bells ringing. Instead of clicking a link, always confirm the authenticity of an email by contacting the organisation using alternative methods. Unexpected invoices or requests for payments should also be investigated to reduce the likelihood of fraud.

For organisations, ARP attacks are difficult to protect against. It is possible to map IP addresses directly to MAC addresses manually but this involves significant administrative overhead and is not a practical solution if the organisation is large. In this case, a commercial Arp poisoning detector is probably preferable.


Please report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online.
Forward suspicious emails to
Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

Share this news story:

Other News

Free online business support sessions for companies in Boston, East Lindsey and South Holland

A series of free online support sessions for businesses in Boston, East Lindsey and South Holland is now under way.

Read More
LAT Secures Funding to Help More People in the Criminal Justice System

Lincolnshire Action Trust (LAT) has been awarded funding and support from a team of business experts to tackle social and env...

Read More

Join our ever-growing membership base

Become a member
Our Patrons