Companies around the world are seeing the resurgence of an old scam: wire transfer phishing attacks that trick employees into wiring money from company bank accounts to criminals’ bank accounts.
Over the past several months, many companies have lost millions of dollars to such relatively simple attacks. The funds are almost never recovered.
The people behind these attacks are not sophisticated cybercriminals. The attacks usually involve no malware, intrusions, vulnerability exploits or even password compromises. Rather, the attackers employ elaborate social engineering tactics and deceptive email domain names that can dupe even savvy, wary employees into sending the criminals money from the company coffers.
Fortunately, organizations can significantly reduce the likelihood of financial loss and business impact by educating their users, adopting simple procedures and even implementing certain low-tech measures. A few simple steps could save your organization from being scammed out of millions.
|A TYPICAL LEGITIMATE WIRE TRANSFER PROCESS
For security purposes:
- Only one employee (the Designated Employee) is designated to request outbound wire transfers from the bank.
- Only one executive is designated to approve or direct outbound wire transfers (Designated Executive).
- The Designated Employee only requests the bank to initiate outbound wire transfers following receipt of a phone call or email from the Designated Executive authorizing or directing a wire transfer.
- The company’s bank only initiates outbound wire transfers at the direction of the one Designated Employee, who must contact the bank by phone or via the company’s secure online banking portal.
A TYPICAL WIRE TRANSFER PHISHING ATTACK
- The organization’s legitimate email domain is @company.com.
- The attacker registers domain names deceptively similar to the organization’s (for instance, @conpany.com, @cornpany.com, @cmpany.com).
- The attacker learns the names of the Designated Executive and Designated Employee through social engineering or online research.
- The attacker sends an email purporting to be from the Designated Executive, using a deceptively similar email domain.
- The Designated Employee receives this email and sees that it is from “Designated Executive” <Designated.Executive@conpany.com> directing the Designated Employee to have $1 million wired to account number 123456789.
- The Designated Employee, following procedure, checks to see that the email came from “Designated Executive.”
- But the Designated Employee fails to notice the misspelling in the email domain @conpany.com, mistaking it for a legitimate company email address.
- The Designated Employee logs into the online banking portal account and requests an outbound wire transfer for $1 million to account number 123456789.
- The bank, following procedure, checks to confirm that the request for the wire transfer did come from the Designated Employee’s account on the online banking portal.
- The bank wires $1 million to account number 123456789.
- Meanwhile, the actual Designated Executive has no knowledge of this wire transfer.
In the vast majority of instances of this scam, the receiving account is outside the US, and the funds are almost impossible to recover.
The bank is not responsible because it followed procedures and the Designated Employee was, in fact, the person who contacted the bank to request the transfer.
WHAT YOU CAN DO TO SAFEGUARD AGAINST THESE ATTACKS
By implementing a few simple non-technical measures, organizations can dramatically reduce the likelihood of falling victim to a wire transfer phishing attack. We also offer technical solutions below that can provide additional protection.
NON-TECHNICAL PROTECTIVE MEASURES
1. Educate employees who handle wire transfers. Organizations should provide training about the risk of falling victim to a wire fraud phishing scheme to all employees who handle wire transfers. These employees should be trained to scrutinize emails from executives who authorize transfers to ensure their validity. Employees should inspect both the “From” field and the body of the email:
- In the “From” field, do not rely on the email sender’s alias; inspect the full domain name following the @ symbol in the sender’s email address (for instance, George.Washington@bogusemaildomain.com). You may have to mouse over or double-click on the alias to see the sender’s full email address. The full email address can also be spoofed, so we recommend looking at the body of the email as well.
- In the body of the email, consider whether the message is written in the designated executive’s style. Look for anomalies, such as odd misspellings, awkward phrases, an unusual tone, a receiving bank account in an unexpected country or missing components (for instance, the designated executive always closes with “Best Regards,” while the email you are scrutinizing has no closing).
2. Confirm via phone call. When in doubt, employees should confirm wire transfer requests by phone using the executive’s phone number in the corporate directory and not from the signature in a suspicious email. Attackers may include phone numbers in a signature and will staff that phone number in hopes that an employee will call to confirm the request by phone.
3. Plan for vacations. When the Designated Executives or Designated Employees are out of the office, their proxies should be trained on the wire transfer protocol and methods for determining whether a wire transfer request or authorization is legitimate.
4. Establish two-part verification procedures with your bank. Organizations should ask their banks to confirm all wire transfer requests that exceed a certain dollar amount via a phone call to the organization’s CFO (or other executive or designee).
TECHNICAL PROTECTIVE MEASURES
Include a header on inbound emails from external domains – Organizations can put a script on their Exchange or other mail server that adds a header to the text of all incoming emails from external domains, such as “From External Domain.” The email server will recognize the difference between @company.com and @conpany.com. At the top of the body of an incoming email from @conpany.com, a recipient would see the phrase "FROM EXTERNAL DOMAIN." The script can either be applied company-wide to all incoming emails or narrowly focused to apply only to emails sent to Designated Employees.
Adopt a policy of encrypting wire transfer authorizations – Organizations can adopt a policy and develop the capabilities to mandate that emails be encrypted whenever sent from a Designated Executive to a Designated Employee to authorize an outbound wire transfer. If an organization uses Exchange/Outlook and S/MIME, for example, the attacker would need to have physical possession of the Designated Executive’s laptop or other device in order to send an encrypted email from the Designated Executive’s account. The Designated Employee would need to be trained to confirm that wire transfer authorization emails are encrypted.
Block select domains – If an organization has received fraudulent emails from a particular email domain, the IT department can block all future incoming emails from the bogus domain. IT should consider filtering emails from bogus domains to a separate area for tracking, study and potential reporting to law enforcement.
If you suspect your organization has been the victim of a wire fraud or other cyberattack, you should contact the cyber divisions of such federal law enforcement agencies as the FBI or US Secret Service.
To learn more about how DLA Piper and CrowdStrike can assist you in understanding or responding to this or any other security concerns your organization faces, contact the authors at firstname.lastname@example.org or email@example.com.
*Christopher Scott is Director of Remediation at CrowdStrike.