Wire Fraud Scams and Corporate Email Attacks: Beware of Tricks, Not Treats, During Cyber Security Awareness MonthPrint PDF
The U.S. Department of Homeland Security named October “National Cyber Security Awareness Month,” and has given it the not-so catchy acronym of NCSAM. Though one might quibble with the choice of name, the many spectacular breaches that have occurred in just the past few weeks – Equifax, the SEC, and Deloitte all jump to mind – clearly demonstrate the need for greater cyber security awareness.
This update focuses on a less spectacular but far more common kind of breach – business email account takeover and wire fraud schemes. These type of attacks, which have become increasingly common and more sophisticated during the last few years, affect businesses of all sizes, often resulting in the loss of hundreds of thousands of dollars.
What is a business email account takeover and wire fraud scheme?
A business email account takeover and wire fraud scheme is a fraud designed to allow a hacker the use of a compromised email account to induce a company or its customers to wire transfer money to the hacker. These frauds typically start with a phishing email designed to trick an employee into providing his or her credentials for corporate email access. Once the hacker has obtained an employee’s credentials, he logs into the email account as the employee and looks for emails revealing the process by which the company approves payments for its accounts payable, the process by which the company invoices its customers, and information about people involved in the accounts payable or invoicing process. Armed with this information, the attacker typically uses the hacked account or the information gleaned from it to send further phishing emails to allow the takeover of accounts of employees with greater approval authority or greater contact with clients, such as the CEO, CFO, or client relationship managers.
Once the attacker gains access, he typically initiates one of two scams:
In one version, the attacker waits until the individual whose accounts have been taken over is unavailable (for example, when that person is traveling, a fact the hacker knows because of his access to the relevant executive’s email account), then sends an email from the compromised account demanding that a junior employee immediately send a wire transfer to a bank account controlled by the hacker.
Alternatively, the attacker poses as a customer relationship manager and sends emails to customers (typically by inserting himself into email conversations already occurring between the customer and the customer service representative) directing the customer to pay their invoices to a bank account controlled by the hacker.
This type of attack requires little technical skill and is routinely used to defraud even relatively small companies of hundreds of thousands of dollars before it is uncovered. In one highly publicized case, the Scoular Co., a commodities trader based in Omaha, Nebraska, lost over $17 million as a result of one of these schemes.
What can you do to prevent this type of fraud?
A few relatively small changes can substantially reduce the likelihood of a successful business email account takeover scheme:
- Implement two-factor authentication for all remote connections. Two-factor authentication requires not just a username and password to establish a remote connection, but also a second factor, such as a one-time password texted to a user’s mobile device. A number of different companies offer such services; a particularly easy to implement and use version comes from Duo Mobile. Two-factor authentication alone will stop most scams of this kind and is also useful in inhibiting other kinds of cyber-attacks.
- Institute wire transfer policies. Implement and enforce policies and procedures to ensure that wire transfers or other payments cannot be authorized based on email instructions alone, regardless of who in the company sends the email.
- Monitor administrator accounts. Regularly audit administrator accounts (computer accounts with enhanced privileges allowing a user to view multiple email accounts or create or change email accounts and passwords) and ensure that new administrator accounts cannot be created without proper permissions.
- Educate your employees. Train your employees to spot phishing campaigns and avoid providing credential information to potential hackers.
- Review email audit logs. Ensure that email audit logging is enabled and routinely review those logs for anomalous activity (such as connections from a foreign IP for a U.S.-based employee).
What should you do if your company is a victim of an account takeover scheme?
- Immediately seek to reverse any fraudulent wire transfer that has been authorized. If the fraud is caught quickly enough, it may be possible to stop the wire transfer before it is completed.
- Engage counsel to conduct a privileged investigation into the attack.
- Force password changes on all affected accounts or any accounts that are even remotely suspected of being involved.
- Implement two-factor authentication for all remote connections. Not only will this help prevent a similar attack in the future, it will help stop the current attack. Because attackers already accessed detailed information about how the victim company communicates, it is relatively easy for them to start a new phishing campaign and re-enter accounts even after the passwords have been changed, unless they are stopped by two-factor authentication.
- Immediately preserve and review access logs to determine which accounts might have been compromised and (if possible) to determine which specific emails were viewed by the attacker in each compromised account.
- Work with counsel to determine whether there are any data breach reporting requirements under federal or state laws as a result of the account compromises.
- Notify customers or regulators of the breach, if necessary.
Previous client alerts on related topics have covered what individuals can do in the wake of the Equifax breach and what lessons companies can learn from it.
This advisory is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.