Earlier this week I attended my quarterly peer group meetings. At the meeting, one of the attendees shared a recent security event that had significant financial consequences for one of their clients. The client was tricked into wiring several HUNDRED THOUSAND dollars to a bank account under criminal control.
How did the criminals pull off this robbery? In doing forensics on the security event, the IT company was able to identify a phishing email that tricked the client into entering their email login and password for Office 365. The phishing email was targeted at the Chief Financial Officer (CFO) of the company. When the CFO entered their credentials into what appeared to be a Microsoft email request, the criminals made a copy of the CFO’s credentials. After gaining the credentials, the criminals periodically logged into the CFO’s email account watching for a legitimate Electronic Funds Transfer (EFT) transaction to be scheduled. When they noted a transfer about to take place, the criminals “spoofed” the email that contained instructions to the CFO on where to wire the funds, substituting the criminals bank routing and account information for the vendor’s information. The CFO believed the bank information was from their vendor, dutifully updated the EFT information and transferred the funds. By the time the CFO and vendor realized the funds hadn’t been transferred, and the CFO followed up with their bank, the funds had moved to and from the criminal’s bank account. In other words, the money was gone.
This attack illustrates the increasing level of sophistication and direct marketing techniques criminals are employing to trick their victims into costly mistakes. Using social engineering techniques, the criminals identified the target, created a plausible phishing email to cause the CFO to enter their credentials, and then the knowledge of the business and bank wire transfer procedures to execute their criminal plan. The criminals had knowledge, patience and a plan – in this case causing a costly security event.
Best practices to avoid this problem:
- Use a third party spam filter to catch suspicious emails before they reach their targets.
- Use a third party spam filter that checks every link in emails.
- Use a DNS service that screens web sites before allowing connections.
- When doing EFT’s or wiring funds, call the receiving party to confirm the bank information verbally before hitting the send button.
Click HERE for more information.