EasyIT has recently seen persistent and increasingly common phishing campaigns involving fake wire transfer request emails.
The FBI reported an alert last month that “Between October 2013 and August 2015, over 7,000 US businesses were victimized by the so-called Business Email Compromise (BEC) scam and reported a staggering $748 million in actual and attempted losses.”
This BEC scam re-surfaced, but this time, we are seeing more sophisticated attacks.
FBI Warning: //www.ic3.gov/media/2015/150122.aspx
Business Email Compromise usually starts when thieves either phish an executive and gain access to their inbox, or when a corporation’s accounting or finance department receives an urgent or highly confidential email from someone pretending to be the CEO or CFO, and it directs the immediate payment without further authorization.
An Example of a BEC Email:
“I need you to do a wire of 48,500 USD to the attached account. I’m unavailable to talk on the phone but the funds need to go out immediately. Please let me know as soon as the transfer is completed and send me a transfer confirmation in reply.”
An alarming fact is that hackers know what individual to target to complete the bank transfer. They are able to closely emulate a very similar email to the CEO’s email and may even be able to know when the CEO is not available to verify the request.
Requests for expedited payment and confidentiality should be red flags, and they should generate a call for confirmation. While it’s true that some disbursements do require a fast response and some level of discretion, it is highly unlikely to require such speed with no additional authorization.
A notice from the FS-ISAC states, “The key to reducing the risk from BEC is to understand the criminals’ techniques and deploy effective payment risk mitigation processes. There are various methods to reduce the risk of falling victim to this scam and subsequently executing a fraudulent wire transfer.”
We advise taking time to educate staff to this threat, ensure protocols for wire transfers are adhered to, and report any incidents. Additionally, using digital certificates in email will verify authenticity of the sender and thwart such hacking attempts.
If you would like to learn more about mitigating your BEC risk, contact EasyIT today.