September 2, 2015 By Douglas Bonderud 2 min read

Social engineering has become commonplace malware parlance. It’s a way to use employees’ existing social habits against them to access corporate networks or steal critical data. The use of these social attacks against business executives is mentioned less often since it’s assumed they have greater protection thanks to lesser-known email addresses and a greater degree of public scrutiny. However, as noted by Threat Post, cybercriminals are targeting execs with access to wire transfer privileges in business email compromise (BEC) scams that have netted $1.2 billion over the last two years.

Moving Money With Social Engineering

Wire transfers remain a popular way to move money overseas since they’re fast, cost-effective and relatively secure. Financial institutions typically don’t care where money is sent. If executives are tricked into wiring scammer accounts overseas, banks and transfer companies won’t take steps to reverse the charges or track the money. According to CSO Online, businesses in all 50 states and 79 other countries have been targeted. Data from the FBI indicates a 270 percent jump in the number of reported victims since January 2015.

How do malicious actors convince executives to make the wrong money moves? It starts with phone or email contact by fraudsters claiming to be lawyers or law firm reps handling critical or time-sensitive matters for the company. The secrecy and urgency of the matter is stressed, and scammers typically call at the end of the work day or week, putting more pressure on executives to act and giving malicious actors time to leverage the received data.

Two potential scenarios can play out here: Members of the C-suite may be pressured into sending money overseas to settle accounts or pay debts, or scammers may take sensitive information they’ve gleaned and create fake accounts almost identical to corporate profiles, which they use to convince wire transfer services of their validity.

Wire Wall

When it comes to large sums of money changing hands and heading across borders, common sense suggests companies double-check requests and triple-check their numbers before issuing any payments. However, scammers know what to expect and have adapted social engineering tricks to compensate.

It starts with phishing sites that look similar to corporate Web pages and email addresses that seem to originate from within the company. The addition of a personal phone call or legally dense email strikes at the heart of C-suite concerns about potential compliance audits or network compromise. If cybercriminals can convince executives that the business is under threat of litigation or a cyberattack is imminent, basic security training goes out the window — better to spend a little on a false alarm than millions of dollars on the real thing.

There are several ways to combat BEC scams. First, write rules that flag any email addresses that mimic corporate naming conventions. It’s also a good idea to register domains similar in brand name. Better yet, call the potential transfer recipient using a phone number that isn’t part of the email conversation to ensure they’re on the same level, and require dual authentication when it comes to high-value transfers.

Scammers no longer want the school, as big fish are the new targets. Avoiding the net means taking steps to ensure wire transfers always travel in a straight line.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today