Threat intelligence sources, including the US Federal Government, report wire transfer fraud as one of the top risks from most businesses, and our alternative investment clients are no different. A bad actor convinces an organization to wire funds to a bank account not owned by the supposed owner, and we see this all too often. In fact, our latest case was responding to an incident where nearly $5 million was wired to a bad actor.
The FBI recently estimated this type of fraud has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017 — the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.
In mid-October the SEC issued a report entitled “…Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements” where the SEC detailed out reports from nine different companies that fell victim to this scam; each losing at least $1 million, and two of the companies losing more than $30 million.
So how do these frauds actually happen and how do you prevent it?
Usually this wire transfer fraud is the result of several different attacks including pretexting, phishing, alternative forms of social engineering, malware, and especially a business email compromise attack. After the bad actor has obtained the email login credentials, one of the next Indicators of Compromise (IOC) is the creation of an email server (Exchange or Office365) rule forwarding all emailing to a certain external email address and/or automatically deleting certain emails.
If your Managed Detection and Response provider knows what they’re doing, they’ve already created a rule to generate an alert anytime one of these “email server rules” is created. Your partner should then be reaching out to you to validate the credibility of this alerting rule. It’s these types of alerts that catch the multi-faceted attacks the good guys are up against, saving you from falling victim to wire transfer fraud or any number of other negative outcomes associated with a Business Email Compromise attack. These types of rules, along with Advanced Email Protection warnings (for possible phishing attacks), are what we recommend for all of our clients. If your cybersecurity partner isn’t talking to you about this type of work, come talk to us.
FBI, 2017 Internet Crime Report (issued May 7, 2018) – https://pdf.ic3.gov/2017_IC3Report.pdf