While not new, targeted wire transfer scams are alive and well and we recommend that you check your processes to guard against them.
These scams start by targeting corporate executives and attempt to convince their targets to wire funds to accounts controlled by the fraudsters.
In one variant of the attack, the scammer will register a domain name with a similar spelling to the target and establish an email service on the domain. They will then search online for the names of the CFO and managers in the finance department. The attack begins with the attacker sending a targeted email to a manager from what looks like the CFO’s email using a variation of the domain name. If the manager responds, the attacker will stage a malicious funds transfer request after gathering information from the Manager. The attacker will request that the manager perform a wire transfer to a bank account within a short period of time, using language they have phished from the email threads. The manager thinks the CFO is requesting the transfer, requests approval, and the attacker pretending to be the CFO approves the transfer.
In another variant, the attacker impersonates an executive at another company that is likely to be doing business with the target company. The initial email uses a domain name that closely resembles the corporate domain name of the organization being impersonated. The body of the email instructs the target to pay all new or outstanding invoices via wire transfer to a new bank account. This attack leverages the likelihood that Accounts Payable at the target company will have actual invoices from the spoofed company.
In both cases, once the funds are transferred, they are quickly rerouted to other hard to trace accounts.
Who is Being Targeted by Wire Transfer Scams
Scammers frequently attempt to exploit the finance departments of medium to large-sized organizations who are likely to have a high volume of transactions.
- Internal education – undertake organization-wide phishing awareness training and ensure finance department personnel are familiar with this type scam.
- Require validation of new banking information with trusted accounting contacts at suppliers and business partners.
- Identify lookalike email domains that could be used by scammers in the above scenarios and create email filters to treat these emails as spam. The following tool generates variations of email domains that could be used in a phishing attack or for URL hijacking: http://www.morningstarsecurity.com/research/urlcrazy.
- While you could also block the source IP of the attack, expect that future attacks will come from a different IP address.