September 2, 2015 By Douglas Bonderud 2 min read

Social engineering has become commonplace malware parlance. It’s a way to use employees’ existing social habits against them to access corporate networks or steal critical data. The use of these social attacks against business executives is mentioned less often since it’s assumed they have greater protection thanks to lesser-known email addresses and a greater degree of public scrutiny. However, as noted by Threat Post, cybercriminals are targeting execs with access to wire transfer privileges in business email compromise (BEC) scams that have netted $1.2 billion over the last two years.

Moving Money With Social Engineering

Wire transfers remain a popular way to move money overseas since they’re fast, cost-effective and relatively secure. Financial institutions typically don’t care where money is sent. If executives are tricked into wiring scammer accounts overseas, banks and transfer companies won’t take steps to reverse the charges or track the money. According to CSO Online, businesses in all 50 states and 79 other countries have been targeted. Data from the FBI indicates a 270 percent jump in the number of reported victims since January 2015.

How do malicious actors convince executives to make the wrong money moves? It starts with phone or email contact by fraudsters claiming to be lawyers or law firm reps handling critical or time-sensitive matters for the company. The secrecy and urgency of the matter is stressed, and scammers typically call at the end of the work day or week, putting more pressure on executives to act and giving malicious actors time to leverage the received data.

Two potential scenarios can play out here: Members of the C-suite may be pressured into sending money overseas to settle accounts or pay debts, or scammers may take sensitive information they’ve gleaned and create fake accounts almost identical to corporate profiles, which they use to convince wire transfer services of their validity.

Wire Wall

When it comes to large sums of money changing hands and heading across borders, common sense suggests companies double-check requests and triple-check their numbers before issuing any payments. However, scammers know what to expect and have adapted social engineering tricks to compensate.

It starts with phishing sites that look similar to corporate Web pages and email addresses that seem to originate from within the company. The addition of a personal phone call or legally dense email strikes at the heart of C-suite concerns about potential compliance audits or network compromise. If cybercriminals can convince executives that the business is under threat of litigation or a cyberattack is imminent, basic security training goes out the window — better to spend a little on a false alarm than millions of dollars on the real thing.

There are several ways to combat BEC scams. First, write rules that flag any email addresses that mimic corporate naming conventions. It’s also a good idea to register domains similar in brand name. Better yet, call the potential transfer recipient using a phone number that isn’t part of the email conversation to ensure they’re on the same level, and require dual authentication when it comes to high-value transfers.

Scammers no longer want the school, as big fish are the new targets. Avoiding the net means taking steps to ensure wire transfers always travel in a straight line.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today