Corporate security breaches have been all over the news lately with hundreds of millions of people at risk after failures from companies such as Yahoo and Equifax. With how established these companies are, the question becomes how they could have been breached. Wire transfer fraud is an incredibly simple, yet effective scam with the potential for large payouts. By posing as an executive in a large company, criminals attempt to trick lower level employees into transferring money to a fake business account. While Yahoo and Equifax may not have fallen victim to this particular variety of cyber attack, the FBI reported over 7,000 victims lost a combined $750 million in a two year period to wire transfer, also known as Business Email Compromise (BEC), scams.
Business Email Compromise commonly involves CEO fraud, where hackers will either gain access to a C class email address through a phishing scam, or they will create an imitation C class email address. It only takes a brief amount of research to make an educated guess at what an executive’s email is. Most large corporations will list generic company emails on their website in order for potential clients to contact them. This reveals the organization’s domain name for their email addresses.
The attackers will then register domain names similar to the target organization’s. Rather than using @company, they’ll use @conpany. If an employee is glancing through the contact information, they are likely to miss such a small difference between the fake corporate email address and a real address. Now that the criminals have fake domains registered, they have to determine who to impersonate. Large corporations usually make this very easy to determine, with their leadership displayed on their website. From here, the scammers can easily make an imitation email for one of the executives. If the executive’s name is Jane Doe, rather than the proper email address of Jane.Doe@company.com, scammers will create a fake email address such as Jane.Doe@conpany.com.
With this convincing but fake email, the scammers will identify a small group of lower-level employees that likely process and fulfill wire requests. Their names can be found easily on Social Media sites such as LinkedIn, which provide lists of employees at various companies along with employees’ job titles. The scammers will select a few targets and will send an email to any potential variation of their emails. Large corporations tend to assign employee email addresses based on a few common email address patterns. If the employee’s name is John Smith, it is incredibly likely his correct corporate email will be similar to emails like J.Smith@company.com or John.Smith@company.com.
The email itself will likely have a subject line or text asking for a response to the email. This helps the scammers learn which email address pattern was valid and, based on the responses, which employees are the right ones to manipulate into wiring the desired funds. If the employee doesn’t check the email well or verify its validity in some other way, the scammers will have successfully tricked their way to a large payout.
Centrify nearly fell victim to an attack just like this, and provided screenshots of their communications with their attackers. To read the full account of their story, go to their article here. The attack started with an email address that appeared to be from Centrify’s CFO, Tim.
The email asked for a large sum to be wired to a company called “Indeva Corporation”. The email address used an incorrect domain with a very difficult to identify difference. Rather than the correct @centrify.com, the scammers used @centrilfy.com. The message also requests a reply, confirming that as a correct address.
The attachment in the email provided wire instructions for the scammers’ account. While the account was under a fake corporation, the account itself had a valid Citi Bank account in the US.
Luckily for Centrify, the targeted employee followed company procedure and discovered the request had not actually come from the CFO. They contacted the FBI to begin a case against the scammers and ignored all requests from fake emails. However, had they not had as well developed internal checks for wire transfers, the scammers could have walked away with more than $300,000.
No matter the size or security of a company, anyone can fall victim to wire transfer fraud resulting from BEC. Scammers do not need much talent with coding to have success with these attacks, as a properly socially-engineered email could result in a massive payout. In upcoming articles, we will detail with real examples other forms of BEC, as well as what to do if your company has been compromised.
If you have been the victim of an email compromise scam, call McCann Investigations at (800) 713-7670. We will provide a free consultation and outline the steps you and your response team need to take to gather and maintain the evidence you need to pursue litigation or an insurance claim. We can also explain the critical use of an licensed investigator to perform the forensic investigation and provide an objective opinion on the origination and scope of the compromise scam.
Contact Dorothy Filippov, Certified Fraud Examiner, at McCann Cyber: (346) 400-6554.