Social engineering has become commonplace malware parlance. It’s a way to use employees’ existing social habits against them to access corporate networks or steal critical data. The use of these social attacks against business executives is mentioned less often since it’s assumed they have greater protection thanks to lesser-known email addresses and a greater degree of public scrutiny. However, as noted by Threat Post, cybercriminals are targeting execs with access to wire transfer privileges in business email compromise (BEC) scams that have netted $1.2 billion over the last two years.
Moving Money With Social Engineering
Wire transfers remain a popular way to move money overseas since they’re fast, cost-effective and relatively secure. Financial institutions typically don’t care where money is sent. If executives are tricked into wiring scammer accounts overseas, banks and transfer companies won’t take steps to reverse the charges or track the money. According to CSO Online, businesses in all 50 states and 79 other countries have been targeted. Data from the FBI indicates a 270 percent jump in the number of reported victims since January 2015.
How do malicious actors convince executives to make the wrong money moves? It starts with phone or email contact by fraudsters claiming to be lawyers or law firm reps handling critical or time-sensitive matters for the company. The secrecy and urgency of the matter is stressed, and scammers typically call at the end of the work day or week, putting more pressure on executives to act and giving malicious actors time to leverage the received data.
Two potential scenarios can play out here: Members of the C-suite may be pressured into sending money overseas to settle accounts or pay debts, or scammers may take sensitive information they’ve gleaned and create fake accounts almost identical to corporate profiles, which they use to convince wire transfer services of their validity.
When it comes to large sums of money changing hands and heading across borders, common sense suggests companies double-check requests and triple-check their numbers before issuing any payments. However, scammers know what to expect and have adapted social engineering tricks to compensate.
It starts with phishing sites that look similar to corporate Web pages and email addresses that seem to originate from within the company. The addition of a personal phone call or legally dense email strikes at the heart of C-suite concerns about potential compliance audits or network compromise. If cybercriminals can convince executives that the business is under threat of litigation or a cyberattack is imminent, basic security training goes out the window — better to spend a little on a false alarm than millions of dollars on the real thing.
There are several ways to combat BEC scams. First, write rules that flag any email addresses that mimic corporate naming conventions. It’s also a good idea to register domains similar in brand name. Better yet, call the potential transfer recipient using a phone number that isn’t part of the email conversation to ensure they’re on the same level, and require dual authentication when it comes to high-value transfers.
Scammers no longer want the school, as big fish are the new targets. Avoiding the net means taking steps to ensure wire transfers always travel in a straight line.