Over the past several days we have seen a huge uptick in the number of wire transfer CEO-fraud emails and this threat continues to grow. We have firsthand knowledge of losses exceeding $100,000.00. It’s important to note that this is a social engineering exploit and does not carry any viral infections or malware payloads. You should educate your end users and I highly suggest that you immediately take an old-school, non-technical approach to this problem.
The threat typically starts weeks or months earlier, possibly with an email that takes you to a website you use every day (like PayPal, Gmail, OneDrive, etc.). You login to the site, and usually it fails with some type of error that looks like the site is busy or there’s a page error. The problem is that it’s a fake site and if you entered your credentials they’re now in the hands of someone else. There are other methods, but this is a pretty common one. If you use those same credentials for other sites; a perennial bad practice, you may have just compounded your potential problems.
Next, the hackers try to find out information about you. They try common webmail server names (like mail.xxx.com/owa), they try Gmail, Yahoo, etc. They get into your webmail and see who you correspond with, who you assign as a backup contact in your last “out of office” notice, who you meet with on a regular basis. Next, they craft an email from a spoofed account that looks like you (if you’re the CEO) and send it to your finance manager, accountant, office manager or other unsuspecting individual.
It usually starts out simple with something like “Hey Donna, I’m going to need you to process a pretty big wire transfer later or possibly tomorrow – will send more details when I have them…”. This is the “greasing the skids” email. You might see 3 or 4, all looking like they came from the same person, building more trust over time that you’re going to “need them to get this done”. Finally, the transfer request comes and the money is expedited per the instructions. These hackers are smart, learning enough about your business to estimate what a “normal” amount might look like for an organization like yours.
I recommend that you implement a manual process for approving wire transfers or large lump sum payments immediately. Use 2-factor challenge/response logins for services like Gmail, Office 365, etc. (where you get a pin texted to you before being able to sign in). You may also want to contact your bank and implement a verbal protocol for electronic transactions.
Talk to your employees and share this message. Awareness training is the most effective thing you can do. We do everything we can for our clients to prevent these messages from getting through to you in the first place, but it’s a moving target that changes daily. Simple, human checks and balances are the best way to prevent this from happening to you. Please share.
As always, if you have any IT security questions or concerns, please feel free to reach out to us and follow us on social media.