We recently had a client that was a victim of an attempted $50,000 Spear Phishing Wire Fraud Attack. Fortunately, the attack was prevented before any funds were transferred. As you know, Spear Phishing is a directed attack where the attackers give specific information about the target. Any company that wire transfers funds to other companies is susceptible to this type of attack. Because it's relatively easy to perform, has relatively low risk and a big potential payoff, wire fraud attempts are extremely common. We wanted to give you the details of this attack to make it easier for you to identify.
- Spoof Sender Email. The person responsible for processing wire transfers will receive an email that looks like it came from the CEO/CFO/COO requesting a wire transfer. This email will be malformed so when the recipient replies to the email the reply will go to a different email address other than the CEO/CFO/COO. Typically the text in front of the "@" is the same as the legitimate person's email, but the domain is different. This original malformed email is extremely easy to create – all you have to do is change the Reply-to address in the email header to the fraudulent email address. The spoofed email address will show when a user replies, but it is often missed because users typically don't take time to inspect the reply address when responding to the email.
- Spoofed Reply Email Address. The person processing the wire replies to the email, thinking they are responding to the CEO, but they are really responding to the hacker.
- Correspondence. The email thread goes back and forth, making the request more and more urgent. Train your users to be aware of any change of tone for email threads that request wire transfers. If the person thinks – wow that doesn't sound like the CEO - it probably isn't. If you review the email thread, the reply address will be to a different domain – another tip off of a fraudulent request.
- Transfer Funds. If the fraud is successful, funds will be transferred to the fake account and the money will be gone. It's important to have a manual out of band process that requires a second approval before any funds are transferred. Fortunately for this client, they figured out the fraud before any funds were transferred.
Please make all users aware of these fraud attempts and how to spot them. Closely review how easy it is (usually VERY easy) to determine the CEO/CFO/COO/Controller emails address via your website and social media sites like LinkedIn.
Stay safe out there and hold onto your funds!