This particular scam, a cybercriminal often impersonates an executive and sends a “spoofed” email to a carefully selected target that generally has access and authority to transfer large sums of money on behalf of the company. Unlike traditional phishing schemes, these scams are well researched. Successful hackers surf social media sites of the target employee, review corporate web pages for contact information, and read professional writings to gain insight into the corporate culture as well as the individual characteristics of the target employee. The objective is to convince the targeted employee to send money.
In fact, there have been more than 8,000 victims and $800 million in losses, according to the FBI. There has been a significant increase in the frequency of wire transfer scam attacks against accounting functions. Read this now or risk losing thousands (if not more).
Wire transfer fraud: Is your company vulnerable?
Potential issue: Companies use email, which when implemented without authentication services can lead to email spoofing or forgery. Criminals can and regularly do take advantage of the inherent weakness of email systems. Further, many corporations do not have business process workflow systems for initiating and approving wire transfers including a process for authenticating requests.
Unfortunately, many organizations rely too heavily on telephone or email communications as part of their wire transfer workflow. When it comes to an email initiation and approval of a wire transfer, criminals may have an opportunity to initiate wire transfers for their benefit. When that happens, thousands of dollars can be lost through fraudulent wire transfers.
Potential methods of compromise:
Social engineering: Criminals acquire information about prospective victims and trick people, such as customer service agents, corporate executives, advisors, and corporate attorneys to help them complete a wire transfer.
Spear phishing: Criminals target individuals within an organization that they have identified, perhaps through social engineering, as potentially responsible for wire transfer processes.
Masquerading: The takeover of an email account, usually a senior executive. The criminal can take over a legitimate email account or create a fraudulent email account that appears to be legitimate. Then the criminal “masquerades” as the executive and requests the wire transfers to take place.
Spoofing: creation of email messages with a forged sender address. It is easy to do because the core protocols do not have any mechanism for authentication. Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message.
7 Things You Need to Do TODAY to Protect Your Company
- Create separate accounts for Operating and Payroll, limit access to the payroll account
- Call your bank and completely disallow wire transfers, if possible
- Train your team to recognize phishing scams
- Implement wire transfer workflow tools that initiate and authorize transfers outside of email
- Review your insurance coverage for such protections should something happen
- Set banking alerts or notifications for transactions so that you are immediately aware of unusual activity
- NEVER send private information via email (credit card numbers, socials, banking info)
“Want more IT security strategies? Download our free report, The 7 Most Critical IT Security Protections Every Business Must Have In Place Now To Protect Themselves From Cybercrime, Data Breaches And Hacker Attacks.” Click here to get instant access: