Businesses are increasingly falling prey to a clever phishing email-based fraud that does not use or employ complex hacking techniques. The people behind these schemes are not sophisticated cybercriminals nor do the attacks typically involve malware, intrusions, vulnerability exploits, or even password compromises.
Rather, the attackers employ elaborate social engineering tactics and deceptive email domain names that can dupe even the most savvy, wary employees into sending the criminals money from the company coffers / bank accounts to criminals’ bank accounts.
Many companies have lost millions of dollars to such relatively simple attacks and the funds are almost never recovered. These types of attacks are not new and tend to have a certain “ebb and flow” to them, and are on the “uptick” again.
How Phishing E-Mail Fraud Works
Three (3) Basic Elements to The Phishing E-Mail Fraud
- Fraudsters secure an internet domain name that is visually very similar to the domain name of the target company or of the target’s real suppliers. For instance, if the target company is named ABC Company, Inc. and its domain is www.abccompany.com, the fraudsters will secure registrations of say www.abcconpany.com, abccornpany.com, and abccmpany.com.
- Scammers will the research any publicly available information about the target company looking for the names of senior financial officers, officials, and employees, especially chief financial officers and comptrollers.
- Fraudsters will then employ a strategy known as “social engineering” to secure the name and legitimate email address of a target company employee who is responsible for making large wire transfers. This last step may be satisfied with one or two simple telephone calls: “Hi, I’m Jack Scammer Doe from XYZ Bank. I need to send an email to whoever just sent us a wire transfer for $58,250.00. Can you provide me that person’s name and email address?” It is fairly common that fraudsters can secure a name and email address over the phone in this way with very few attempts.
- With that last piece of information, the fraudsters have two (2) vital parts of the scam: (i) the name and email address of a person who is authorized to initiate wire-transfers, and (ii) the format of legitimate company email addresses. If the name of the person with wire transfer authority is John Smith and his email address in our example is JSmith@abccompany.com, and they learn from the company’s website that the CFO’s name is Jane Doe, they will likely figure out that the CFO’s legitimate email address will very likely be JDoe@ abccompany.com. Putting all these pieces together can take experienced scammers just hours of work.
The next step is sending an email that purports to be from the company’s CFO to the person authorized to send wire transfer instructions, but using the deceptive domain name. In this example, the “From” line of the email will appear as “From: Jane Doe < JDoe@abccmpany.com >.” Notice the “o” in company is missing this email address? Unless you have been advised or received notice of this type of scam, one would be likely not the missing “o” and so, when John Smith receives an email from From: Jane Doe < JDoe@abccmpany.com telling him to immediately send a wire transfer to a particular bank account (accompanied by a plausible explanation for why the funds should be transferred, often with legitimate-looking invoices attached), John Smith may well do initiate the transfer.
A variation on this scam pattern is the use of a domain name deceptively similar to one of the target company’s regular suppliers. In this kind of case, the fraudsters need to know the identity of who is selling to the target company, something that may require some inside information. Instead of impersonating a company officer with authority to order wire transfers, the fraudsters impersonate the company’s supplier. Although the information required to put this scheme in play is harder to come by, once it is obtained, the fraudsters have a better chance of success, since the funds only need to be redirected to a bank account under the fraudsters control, but all other information fits the target company’s usual course of paying invoices submitted by a known supplier. Information about a supplier can be gained by searching websites of companies likely to be selling to the target company, which may list the supplier’s large customers, or through social engineering, e.g. by getting to know someone in the supplier’s sales force and waiting for the identity of the supplier’s large customers to be disclosed.
Why is this scam so successful?
The people perpetrating these frauds frequently research employees’ responsibilities so they know who to target, and often gather information to try to make the wire transfer request as believable as possible. For example, they may research the executive’s schedule using public information or by making inquiries of the executive’s assistant with the goal of sending the fraudulent emails when the executive is out of town and cannot be easily reached for verification.
Please note, while some of the fraudulent requests are for millions of dollars, more often they tend to be for smaller, less noticeable amounts. Since many companies have stricter controls (like dual approvals) for amounts over a certain dollar threshold, the scammers often submit wire requests for lower amounts hoping the looser controls mechanisms in place (if any) will raise the success rate of their scam and lessen the prospects of a scam to the receiver of the scam. If the scammer is successful in a preliminary request, they may continue to submit additional requests until the scam is detected.
Protecting Your Business Against The “Email Imposter” Fraud – Simple Safeguards
By implementing a few simple non-technical measures, organizations can dramatically reduce the likelihood of falling victim to a wire transfer phishing attack.
NON-TECHNICAL PROTECTIVE MEASURES
- Educate employees who handle wire transfers. Organizations should provide training about the risk of falling victim to a wire fraud phishing schemeto all employees who handle wire transfers. These employees should be trained to scrutinize emails from executives who authorize transfers to ensure their validity. Employees should inspect both the “From” field and the body of the email:
- In the “From” field, do not rely on the email sender’s alias; inspect the full domain name following the @ symbol in the sender’s email address (for instance, Abe.Linclon@nosohonestabemaildomain.com). You may have to mouse over or double-click on the alias to see the sender’s full email address. The full email address can also be spoofed, so we recommend looking at the body of the email as well.
- In the body of the email, consider whether the message is written in the designated executive’s style. Look for anomalies, such as odd misspellings, awkward phrases, an unusual tone, a receiving bank account in an unexpected country or missing components (for instance, the designated executive always closes with “Best Regards,” while the email you are scrutinizing has no closing).
2. Confirm via phone call. When in doubt, employees should confirm wire transfer requests by phone using the executive’s phone number in the corporate directory and not from the signature in a suspicious email. Attackers may include phone numbers in a signature and will staff that phone number in hopes that an employee will call to confirm the request by phone.
3. Plan for vacations. When the certain designated executives or designated employees who handle wire transfers are out of the office, their proxies should be trained on the proper wire transfer protocol and methods for determining whether a wire transfer request or authorization is legitimate.
4. Establish two-part verification procedures with your bank. Organizations should ask their banks to confirm all wire transfer requests that exceed a certain dollar amount via a phone call to the organization’s CFO (or other executive or designee).
TECHNICAL PROTECTIVE MEASURES
1. Include a header on inbound emails from external domains – Organizations can put a script on their Exchange or other mail server that adds a header to the text of all incoming emails from external domains, such as “From External Domain.” The email server will recognize the difference between @company.com and @conpany.com. At the top of the body of an incoming email from @conpany.com, a recipient would see the phrase "FROM EXTERNAL DOMAIN." The script can either be applied company-wide to all incoming emails or narrowly focused to apply only to emails sent to Designated Employees.
2. Adopt a policy of encrypting wire transfer authorizations – Organizations can adopt a policy and develop the capabilities to mandate that emails be encrypted whenever sent from a Designated Executive to a Designated Employee to authorize an outbound wire transfer. If an organization uses Exchange/Outlook, for example, the scammer would then need to have physical possession of the Designated Executive’s laptop or other device in order to send an encrypted email from the Designated Executive’s account. The Designated Employee would need to be trained to confirm that wire transfer authorization emails are encrypted.
3. Block select domains – If an organization has received fraudulent emails from a particular email domain, the IT department can block all future incoming emails from the bogus domain. IT should consider filtering emails from bogus domains to a separate area for tracking, study and potential reporting to law enforcement.
For more information, contact ISRI General Counsel Thomas Casey.