Determined cybercriminals are constantly inventing new ways to access your company bank account. Sometimes they try to break in. Sometimes they try to steal your passwords and account information. But some of their techniques are designed to get you to simply hand over the money—and these social engineering tactics are becoming even more common.
One social engineering con we recently became aware of involved a corporate controller who received what looked like email from the company’s CFO forwarding a request from the CEO to process a wire transfer. Here’s what it looked like (names have been redacted):
From: [CFO’s name]
Date: July 3, 2018
Subject: Wire Payment
To: [Controller’s name]
[Controller’s name],
I need a Wire of $69,425.75 processed to the vendor’s account, information attached, Post-Haste. Code it to G&A and notify me once completed.
I’ll forward Invoice & other support momentarily.
Thanks,
[CFO’s name]
———– Forwarded message —————
From: [CEO’s name]
Date: July 2, 2018
Subject: Wire Payment
To: [CFO’s name]
[CFO’s name],
Per our conversation, attached is the instruction for the wire.
Let me know when this is done.
[CEO’s name]
The message included a typical and legitimate set of wire transfer instructions. Everything seemed to be in order, so the controller processed the request and sent the wire transfer. Unfortunately, the CEO had never spoken to or sent anything to the CFO. The CFO had never sent anything to the controller. And the controller missed the vital clue that would have given the cybercon away: a one-character spelling error in the domain name of the CFO’s email address. The cyber con artist had registered a domain name nearly identical to the company’s, researched the company using publicly available information, and used the names of the CEO, CFO, and controller to craft a message that looked like it had already passed through the CEO’s hands. By the time anyone noticed something was amiss, the money had been transferred, never to be retrieved.
In a similar case, a cybercon artist registered a domain name similar to that of a large manufacturer, then bribed an employee in the manufacturer’s accounts receivable department. The employee diverted the next large order to the criminal, who used the fake domain name to send wire transfer instructions to the buyers. The buyers overlooked the small spelling error in the domain name and sent payment. When they never received their purchase, they complained to the manufacturer, but since the manufacturer had no record of receiving the order or sending out the payment instructions, the buyers had no recourse and no way to get their money back.
These kinds of social engineering attacks rely on human error to work. The best way to prevent them is to implement processes that leave little room for expensive mistakes:
1. |
Require verification of any funds transfers by a method other than the one by which you received the request. For example, if you get a request by email, verify it by phone or fax. |
2. | Require dual controls. Changing your list of authorized payees or making a payment to someone on that list should require the approval of two people. |
We realize these procedures can be inconvenient and time-consuming. On the other hand, so is losing your money and trying to get it back. When it comes to social engineering attacks, an ounce of prevention is still better than a pound of cure.