September 2, 2015 By Douglas Bonderud 2 min read

Social engineering has become commonplace malware parlance. It’s a way to use employees’ existing social habits against them to access corporate networks or steal critical data. The use of these social attacks against business executives is mentioned less often since it’s assumed they have greater protection thanks to lesser-known email addresses and a greater degree of public scrutiny. However, as noted by Threat Post, cybercriminals are targeting execs with access to wire transfer privileges in business email compromise (BEC) scams that have netted $1.2 billion over the last two years.

Moving Money With Social Engineering

Wire transfers remain a popular way to move money overseas since they’re fast, cost-effective and relatively secure. Financial institutions typically don’t care where money is sent. If executives are tricked into wiring scammer accounts overseas, banks and transfer companies won’t take steps to reverse the charges or track the money. According to CSO Online, businesses in all 50 states and 79 other countries have been targeted. Data from the FBI indicates a 270 percent jump in the number of reported victims since January 2015.

How do malicious actors convince executives to make the wrong money moves? It starts with phone or email contact by fraudsters claiming to be lawyers or law firm reps handling critical or time-sensitive matters for the company. The secrecy and urgency of the matter is stressed, and scammers typically call at the end of the work day or week, putting more pressure on executives to act and giving malicious actors time to leverage the received data.

Two potential scenarios can play out here: Members of the C-suite may be pressured into sending money overseas to settle accounts or pay debts, or scammers may take sensitive information they’ve gleaned and create fake accounts almost identical to corporate profiles, which they use to convince wire transfer services of their validity.

Wire Wall

When it comes to large sums of money changing hands and heading across borders, common sense suggests companies double-check requests and triple-check their numbers before issuing any payments. However, scammers know what to expect and have adapted social engineering tricks to compensate.

It starts with phishing sites that look similar to corporate Web pages and email addresses that seem to originate from within the company. The addition of a personal phone call or legally dense email strikes at the heart of C-suite concerns about potential compliance audits or network compromise. If cybercriminals can convince executives that the business is under threat of litigation or a cyberattack is imminent, basic security training goes out the window — better to spend a little on a false alarm than millions of dollars on the real thing.

There are several ways to combat BEC scams. First, write rules that flag any email addresses that mimic corporate naming conventions. It’s also a good idea to register domains similar in brand name. Better yet, call the potential transfer recipient using a phone number that isn’t part of the email conversation to ensure they’re on the same level, and require dual authentication when it comes to high-value transfers.

Scammers no longer want the school, as big fish are the new targets. Avoiding the net means taking steps to ensure wire transfers always travel in a straight line.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today