The information garnered by cybercriminals during a phishing attack is sometimes used to perpetrate costly fraudulent wire transfers. Learn how to prevent the initial phishing scams.
Phishing is very popular with cybercriminals. Phishing is a method whereby cybercriminals digitally defraud users; something that is not often discussed is what digital-scam artists do with the information they obtain. One of the more lucrative digital crimes is fraudulent wire transfers.
What are wire transfers?
A wire transfer, according to MySecurityAwareness.com, is a near real-time bank-to-bank transaction that allows one person to move money from her account directly into someone else's account. "When a wire transfer is made, both account holders are verified, as well as the amount of money in each account," adds the My Security Awareness website.
SEE: SMB security pack: Policies to protect your business (Tech Pro Research)
What is wire-transfer fraud?
Wire-transfer fraud occurs when company employees are deceived by fraudsters to wire money to a bank account controlled by the scam artists. "They (digital fraudsters) use language that might be specific to the person or the company they are targeting and then request a fraudulent wire transfer using dollar amounts that would not be out of the ordinary based on the customer," explains this United Bank security notice. "The cybercriminals use phishing emails and then leverage trusted relationships between individuals who authorize wire transfers and those who send them out."
The security article cautions that wire-transfer fraud is not specific to businesses or organizations that make wire payments; rather, anyone can be a victim of this type of cybercrime and should take every precaution to protect against it.
SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)
A lucrative example
Under the right circumstances, phish-only-captured information may be enough to allow digital fraudsters to pretend to be a business contracted by the company under attack. If it's not, attackers will use the scammed information to access company computers and then steal the appropriate sensitive financial data. Once the attackers are familiar with how a company pays bills, who the company pays regularly, and if there are any outstanding balances due, they can forge a fake invoice with new payment instructions, including how to transfer money to the scammers' bank account.
It may seem like a lot of effort to make money, but it is successful enough to get the FBI involved with Operation WireWire. "The operation resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers," according to this June 2018 FBI press release. "The devastating impacts these cases have on victims and victim companies affect not only the individual businesses but also the global economy. Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC (Business Email Compromises) and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3."
The impact of fraudulent wire transfers
Security pundits at Wells Fargo note that wire transfers are an immediate form of payment; once fraudsters have obtained the funds, the wire transfer cannot be reversed. The authors of the United Bank security notice suggest there are other losses besides monetary ones:
- The potential for damage to a company's reputation; and
- The employee time required to repair damage and inform authorities about the fraudulent activity.
Tips on how to prevent wire-transfer fraud
The authors of the United Bank security notice offer the following tips that company personnel should follow to protect themselves and their employer from becoming victims of fraudulent wire requests:
- Confirm email requests from a known party by phone or in-person in case their email has been hacked;
- Be wary of e-mail-only wire transfer requests and requests involving urgency;
- Monitor company bank accounts on a daily basis;
- Immediately contact the involved banking institution and local police if there is any suspicion of wire-transfer fraud; and
- Check the information included on a wire transfer—one typo could send the money to the wrong person or business.
Next are tips specific to businesses:
- Make sure company policies and procedures regarding wire transfers and other banking activity are understood and practiced by employees;
- Establish an employee-awareness program;
- Businesses should establish procedures for incoming and outgoing payments;
- If possible, require a second authenticator within your business for all wire transfer requests;
- Make sure your employees know when a scam happens, how it was perpetrated, and motivate them to remain vigilant; and
- Businesses should invest in a detailed review of its IT infrastructure and security that is reflective to the size of their respective business.
SEE: Security awareness and training policy (Tech Pro Research)
It is important enough to reiterate that wire transfers are an immediate form of payment; once a scammer has obtained the wired funds, the transfer cannot be reversed, even if the check is fraudulent.
If illegal activity is suspected, besides local law enforcement agencies and banking institutions, report the matter to the Federal Trade Commission at the FTC Complaint Assistant or 1-877-FTC-HELP.
- Phishing alert: North Korea's hacking attacks shows your email is still the weakest link (ZDNet)
- FBI announces arrest of 74 email fraudsters (ZDNet)
- The biggest phishing attacks of 2018 and how companies can prevent it in 2019 (TechRepublic)
- The top 11 phishing email subject lines SMBs should look out for (TechRepublic)
- How sophisticated phishing grants attackers total control of your computer (TechRepublic)
- Phishing attacks hit financial services, tech companies hardest: How to stay safe (TechRepublic)
- IT email templates: Security alerts (Tech Pro Research)