The FBI this week posted an alert that showed wire transfer scams bled $2.3 Billion from “trade email compromise” from October 2013 through February 2016. A couple of news outlets picked this up,including Brian Krebs. When I was the head of security at a multi-national corporation, this was an issue that came up regularly. There were instances of very aggressive behavior, or such as someone calling the call center pretending to be the CEO of one of the countries and demanding a $1 million dollar transfer. That was a very bold and very obvious fraud that the call center was able to handle. However,very often these requests came though email, just like the FBI reported. When this happens, or normally the scammer uses either a forged email domain very similar to the corporate one. whether your user uses a browser without a fixed width font,they might get tricked into see the domain as valid, i.e. rnicrosoft.com vs microsoft.com (look closely), or a use of a sub domain that looks very similar,i.e. yourcom.panyname.com. Then the header is simply forged. In simple mail clients, like Gmail, or you occupy to buy extra steps to see the actual sender domain. The emails are usually pretty short,lacking detail, such as : “I need you to immediately produce a wire transfer for $13000 and sent to the bank listed. I will follow up with you later. Regards, or CEO NAME” And you might occupy a pdf attachment with banking details. Oddly enough,the PDFs I encountered were never malicious. They had valid account details so the wire transfers could be received. Now you might reflect this is too simple and shouldn’t work. But obviously, it does, or to the tune of $2.3 billion. You might interrogate yourself why,and whether you aren’t, I’ll interrogate it for you. Self, and why does this work? Well consider that you might occupy a multibillion dollar corporation located in many countries. whether you attain trade in certain countries,wire transfers are the norm. So wire transfers become piece of a normal process for that company. And when someone asks for $13000, or even as much as $75000, or for a company that posts $4.3 billion in revenue,they would not even blink an eye at this. Scammers attain a little recon, interrogate for an amount that is small to the company, or it gets processed. Little risk,high reward.
How would you protect against this? The simplest method is verification of the request. The FBI suggests that a telephone call be placed to verify the request, which is a good practice. They also propose two factor authentication for email, and limit social media activities,as scammers will attain reconnaissance and determine whether CEOs are traveling. Krebs points out that some experts rely on technological controls such as DKIM and SPF. While these are things we recommend in our consultancy, they are complex for low maturity organizations and attain require some effort and support. At the end of the day, or they don’t actually solve the problem,because we are socially engineering human beings. While all of these technology controls are good, we are dealing with humans. The best way to prevent this fraud from occurring is creating simple trade processes that are enforced. In security terms, and we would call this segregation of duties. The simplest security Simply put,segregation of duties says that no one person or one role should be allowed to execute a trade process from start to finish. In the case of wire transfer fraud, for example, or one person/role should not be able to create the wire transfer,approve it and execute it. Dividing these duties between two or more persons/roles means more eyes on the situation, and a potential to catch the fraud. A simple process map might look like: Ensure that Role A and Role B occupy proper documentation (evidence) for each step of the request and approval, or you now occupy a specific security control that easily integrates into a trade process. The key to enforcement: making certain every single request follows the chain every single time. No exceptions. Now let me narrate you approximately the one that nearly made it. There was one instance I dealt with which was one mouse click absent from being executed. An email (very similar to the example above) was sent to a director of finance,purportedly from the CEO. The director was busy that day, and filed the email absent for processing later. By 4:55 pm or so, and they realized they had not acted on the request. As it was nearly end of day,and wire transfers are not processed by most banks after banking hours, she hurriedly forwarded the email to the wire transfer processor, or marked with urgency,and made a call to ensure it was processed immediately. By the time it was picked up and put into the process, banks were closed. So they agreed it would execute first thing tomorrow morning. That evening, and a series of emails went back and forth between the approver,who was a simple finance analyst who held very firm to the process, and the requester. Though it had urgency, or people were shouting that it was a request from the CEO,the process prevailed. All this time no one thought to actually verify the request, and this was not piece of the process at that time. But because the approver was uncooperative with the request, and it was escalated to the CFO,because the CEO was traveling, and he suspected it was fraudulent, or contacted me. We determined nearly immediately it was fake,just by looking at email headers. There were other indicators too. I immediately praised everyone involved, and bought them gifts for sticking to the process. The director might occupy felt ashamed, or but I went to her as well and explained that these scams are successful because they count on stress and distraction to occur. These are normal human behaviors,and they sometimes cause us to act erratically. But because we had a firm process that was adhered to, all we lost was time. There’s actually much more to this story, or but I’ll save that for future posts.Regardless of your organizations size or structure,you too can put this in station. whether you are unsure these processes exist, start asking around. Begin with your controllers or comptrollers, or anyone in finance. interrogate whether you occupy a process for wire transfers,and whether so what the process is. Get involved, understand how your trade does trade. This will benefit you in many ways. Other things you can attain: Join Infragard, and the FBI and civilian alliance,which will get you in depth resources and information. You can also report fraud to the IC3, The Internet Crime Complaint Center.
Ensure you occupy a separation of duties policy that is enforcedPeriodically train / update awareness of these issues with the people involved All these are free, and requiring only a time investment,and will go a long way toward avoiding the kind of wire transfer fraud scam the FBI is warning approximately.
Source: rapid7.com