The FBI this week posted an alert that showed wire transfer scams bled $2.3 Billion from “business email compromise” from October 2013 through February 2016. A couple of news outlets picked this up, including Brian Krebs.
When I was the head of security at a multi-national corporation, this was an issue that came up regularly. There were instances of very aggressive behavior, such as someone calling the call center pretending to be the CEO of one of the countries and demanding a $1 million dollar transfer. That was a very bold and very obvious fraud that the call center was able to handle. However, very often these requests came though email, just like the FBI reported.
When this happens, normally the scammer uses either a forged email domain very similar to the corporate one. If your user uses a browser without a fixed width font, they might get tricked into see the domain as legitimate, i.e. rnicrosoft.com vs microsoft.com (look closely), or a use of a sub domain that looks very similar, i.e. yourcom.panyname.com. Then the header is simply forged. In simple mail clients, like Gmail, you have to take extra steps to see the actual sender domain.
The emails are usually pretty short, lacking detail, such as :
“I need you to immediately produce a wire transfer for $13,000 and sent to the bank listed. I will follow up with you later.
And you might have a pdf attachment with banking details. Oddly enough, the PDFs I encountered were never malicious. They had legitimate account details so the wire transfers could be received.
Now you might think this is too simple and shouldn’t work. But obviously, it does, to the tune of $2.3 billion. You might ask yourself why, and if you aren’t, I’ll ask it for you. Self, why does this work?
Well consider that you might have a multibillion dollar corporation located in many countries. If you do business in certain countries, wire transfers are the norm. So wire transfers become part of a normal process for that company. And when someone asks for $13,000, or even as much as $75,000, for a company that posts $4.3 billion in revenue, they would not even blink an eye at this.
Scammers do a little recon, ask for an amount that is small to the company, and it gets processed. Little risk, high reward.
How would you protect against this?
The simplest method is verification of the request. The FBI suggests that a telephone call be placed to verify the request, which is a good practice. They also suggest two factor authentication for email, and limit social media activities, as scammers will do reconnaissance and determine if CEOs are traveling.
Krebs points out that some experts rely on technological controls such as DKIM and SPF. While these are things we recommend in our consultancy, they are complex for low maturity organizations and do require some effort and support. At the end of the day, they don’t actually solve the problem, because we are socially engineering human beings.
While all of these technology controls are good, we are dealing with humans. The best way to prevent this fraud from occurring is creating simple business processes that are enforced. In security terms, we would call this segregation of duties.
The simplest security
Simply put, segregation of duties says that no one person or one role should be allowed to execute a business process from start to finish. In the case of wire transfer fraud, for example, one person/role should not be able to create the wire transfer, approve it and execute it. Dividing these duties between two or more persons/roles means more eyes on the situation, and a potential to catch the fraud. A simple process map might look like:
Ensure that Role A and Role B have proper documentation (evidence) for each step of the request and approval, and you now have a specific security control that easily integrates into a business process. The key to enforcement: making sure every single request follows the chain every single time. No exceptions.
Now let me tell you about the one that almost made it.
There was one instance I dealt with which was one mouse click away from being executed.
An email (very similar to the example above) was sent to a director of finance, purportedly from the CEO. The director was busy that day, and filed the email away for processing later. By 4:55 pm or so, they realized they had not acted on the request. As it was almost end of day, and wire transfers are not processed by most banks after banking hours, she hurriedly forwarded the email to the wire transfer processor, marked with urgency, and made a call to ensure it was processed immediately. By the time it was picked up and put into the process, banks were closed. So they agreed it would execute first thing tomorrow morning.
That evening, a series of emails went back and forth between the approver, who was a simple finance analyst who held very firm to the process, and the requester. Though it had urgency, and people were shouting that it was a request from the CEO, the process prevailed.
All this time no one thought to actually verify the request, and this was not part of the process at that time. But because the approver was uncooperative with the request, it was escalated to the CFO, because the CEO was traveling, and he suspected it was fraudulent, and contacted me. We determined almost immediately it was fake, just by looking at email headers. There were other indicators too.
I immediately praised everyone involved, and bought them gifts for sticking to the process. The director might have felt ashamed, but I went to her as well and explained that these scams are successful because they count on stress and distraction to occur. These are normal human behaviors, and they sometimes cause us to act erratically. But because we had a firm process that was adhered to, all we lost was time.
There’s actually much more to this story, but I’ll save that for future posts.
Regardless of your organizations size or structure, you too can put this in place. If you are unsure these processes exist, start asking around. Begin with your controllers or comptrollers, or anyone in finance. Ask if you have a process for wire transfers, and if so what the process is. Get involved, understand how your business does business. This will benefit you in many ways.
Other things you can do:
- Join Infragard, the FBI and civilian alliance, which will get you in depth resources and information. You can also report fraud to the IC3, The Internet Crime Complaint Center.
- Ensure you have a separation of duties policy that is enforced
- Periodically train / update awareness of these issues with the people involved
All these are free, requiring only a time investment, and will go a long way toward avoiding the kind of wire transfer fraud scam the FBI is warning about.