Companies around the world are seeing the resurgence of an old scam: wire transfer phishing attacks that trick employees into wiring money from company bank accounts to criminals’ bank accounts.
Over the past several months, many companies have lost millions of dollars to such relatively simple attacks. The funds are almost never recovered.
The people behind these attacks are not sophisticated cybercriminals. The attacks usually involve no malware, intrusions, vulnerability exploits or even password compromises. Rather, the attackers employ elaborate social engineering tactics and deceptive email domain names that can dupe even savvy, wary employees into sending the criminals money from the company coffers.
Fortunately, organizations can significantly reduce the likelihood of financial loss and business impact by educating their users, adopting simple procedures and even implementing certain low-tech measures. A few simple steps could save your organization from being scammed out of millions.
A TYPICAL LEGITIMATE WIRE TRANSFER PROCESS
- Only one employee (the Designated Employee) is designated to request outbound wire transfers from the bank.
- Only one executive is designated to approve or direct outbound wire transfers (Designated Executive).
- The Designated Employee only requests the bank to initiate outbound wire transfers following receipt of a phone call or email from the Designated Executive authorizing or directing a wire transfer.
- The company’s bank only initiates outbound wire transfers at the direction of the one Designated Employee, who must contact the bank by phone or via the company’s secure online banking portal.
A TYPICAL WIRE TRANSFER PHISHING ATTACK
- The organization’s legitimate email domain is @company.com
- The attacker registers domain names deceptively similar to the organization’s (for instance, @conpany.com, @cornpany.com, @cmpany.com)
- The attacker learns the names of the Designated Executive and Designated Employee through social engineering or online research.
- The attacker sends an email purporting to be from the Designated Executive, using a deceptively similar email domain.
- The Designated Employee receives this email and sees that it is from “Designated Executive”
directing the Designated Employee to have $1 million wired to account number 123456789.
- The Designated Employee, following procedure, checks to see that the email came from “Designated Executive.”
- But the Designated Employee fails to notice the misspelling in the email domain @conpany.com, mistaking it for a legitimate company email address.
- The Designated Employee logs into the online banking portal account and requests an outbound wire transfer for $1 million to account number 123456789.
- The bank, following procedure, checks to confirm that the request for the wire transfer did come from the Designated Employee’s account on the online banking portal.
- The bank wires $1 million to account number 123456789.
- Meanwhile, the actual Designated Executive has no knowledge of this wire transfer.
- In the vast majority of instances of this scam, the receiving account is outside the US, and the funds are almost impossible to recover.
- The bank is not responsible because it followed procedures and the Designated Employee was, in fact, the person who contacted the bank to request the transfer.
WHAT YOU CAN DO TO SAFEGUARD AGAINST THESE ATTACKS
By implementing a few simple non-technical measures, organizations can dramatically reduce the likelihood of falling victim to a wire transfer phishing attack. We also offer technical solutions below that can provide additional protection.
NON-TECHNICAL PROTECTIVE MEASURES
- Educate employees who handle wire transfers. Organizations should provide training about the risk of falling victim to a wire fraud phishing scheme to all employees who handle wire transfers. These employees should be trained to scrutinize emails from executives who authorize transfers to ensure their validity. Employees should inspect both the “From” field and the body of the email:
- In the “From” field, do not rely on the email sender’s alias; inspect the full domain namefollowing the @ symbol in the sender’s email address (for instance, George.Washington@bogusemaildomain.com). You may have to mouse over or double-click on the alias to see the sender’s full email address. The full email address can also be spoofed, so we recommend looking at the body of the email as well.
- In the body of the email, consider whether the message is written in the designated executive’s style. Look for anomalies, such as odd misspellings, awkward phrases, an unusual tone, a receiving bank account in an unexpected country or missing components (for instance, the designated executive always closes with “Best Regards,” while the email you are scuritnizing has no closing).
- Confirm via phone call. When in doubt, employees should confirm wire transfer requests by phone using the executive’s phone number in the corporate directory and not from the signature in a suspicious email. Attackers may include phone numbers in a signature and will staff that phone number in hopes that an employee will call to confirm the request by phone.
- Plan for vacations. When the Designated Executives or Designated Employees are out of the office, their proxies should be trained on the wire transfer protocol and methods for determining whether a wire transfer request or authorization is legitimate.
- Establish two-part verification procedures with your bank. Organizations should ask their banks to confirm all wire transfer requests that exceed a certain dollar amount via a phone call to the organization’s CFO (or other executive or designee).
If you suspect your organization has been the victim of a wire fraud or other cyberattack, you should contact the cyber divisions of such federal law enforcement agencies as the FBI or US Secret Service.
Special thanks to Tara McGraw Swaminatha & Christopher Scott.