Director, Information Security
Brian Wrozek is the director of information security with Optiv’s Office of the CISO. In this role he specializes in enabling CISOs by sharing practical recommendations and confronting the many cybersecurity challenges with a “glass is half-full” attitude.
Techniques to Stop Wire Transfer Fraud
I continue to hear stories about companies being scammed by what the FBI is calling “business email compromise (BEC) attacks” or “CEO fraud attacks.” Krebs on Security highlighted data from a recent FBI report that estimates $1.2B has been lost to these types of scams in the last couple of years. This deceptive con is not your typical phishing attack. There are no malware infused attachments, embedded links that take you to harmful web sites nor panic inducing statements such as, “You must validate your social security number immediately or the IRS will freeze your bank account.” Instead, these attacks attempt to gain your trust and confidence by mimicking seemingly normal business communications between executives in the hopes of tricking you into transferring money to the attacker’s account. We refer to these types of phishing attacks targeted against senior executives of a company as “whaling” attacks (aka the “big fish”).
One common scenario involves a highly confidential acquisition. The CFO receives what looks like a valid email coming from the CEO about a pending acquisition, typically involving a company overseas. The attack is timed to coincide with the CEO being out of the office. The message instructs the CFO to expect a phone call from an outside legal firm that is handling the transaction. The message includes details about the firm. The email is light on specifics but warns the CFO that they are not to discuss this deal with anybody else. Sure enough, the CFO receives the phone call as predicted from the designated contact person not realizing the caller is part of the scam. The CFO is given just enough information for the deal to sound plausible and then is instructed to transfer a reasonable sum of money to an account. The CFO even receives a follow-up email or phone call to verify the transaction completed successfully and is told that additional information will be forthcoming.
Spam filtering and email authentication technologies can reduce but not eliminate this old school trick. To further protect yourselves, add one or more of the following people and process control strategies to you arsenal:
- Learn to recognize your fellow executive’s communication styles. Many of us are creatures of habit and have a certain style when communicating with our peers. Pay close attention to the format and tone of the email in addition to the actual words used. Are the grammar, greeting, signature and voice consistent with prior correspondences? If something doesn’t feel quite right, trust your gut instincts and seek additional information before taking any actions you may later regret. Use other communication vehicles besides email such as voice, text and in-person whenever possible.
- Implement dual custody procedures. Dual custody is a common anti-fraud technique that requires two people to complete a transaction, particularly those that exceed a certain dollar threshold. One person initiates a financial transaction but a second person is needed to approve or finalize it. Ideally, the second person will complete their part of the transaction from a second computer and account to further reduce the risk of a compromised device or account being used for the attack.
- Include a trusted third party in the process. Add a third person to the communication channel. This person does not need to know the details of the transaction only that such a transaction is occurring at this point in time. In our example, the CFO could verify that an acquisition is actually underway by checking with a pre-designated person such as the general counsel or the CSO who has already been alerted by the CEO about the pending transaction.
- Educate your employees on how to identify and respond to attacks. Teach your executives about these types of wire transfer attacks. Use news articles as case studies and conduct table-top drills on how to respond to them. Involve your financial institutions in your efforts since they may be able to help stop fraudulent transactions before they are processed should one be initiated by mistake. Since attackers are constantly adapting their techniques, your education efforts must be more than a one-time endeavor.
Don’t rely solely on your technology to protect yourself from wire transfer fraud attacks. Be vigilant and ensure your executive team is prepared to recognize and respond appropriately.