BY ANTHONY VALENTI, CFE, CAMS; AND STEPHEN KORINKO, CFE, CAMS, CPP



Similar documents
Business Compromise Scam

OIG Fraud Alert Phishing

How to Prevent It What to Do If You Are a Victim

Information Security Field Guide to Identifying Phishing and Scams

FRAUD ALERT THESE SCAMS CAN COST YOU MONEY

A new fake Citibank phishing scam using advanced techniques to manipulate users into surrendering online banking access has emerged.

Remote Deposit Quick Start Guide

Protect Yourself Against Identity Theft

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

Guide to credit card security

Market Intelligence Cell. Fighting Financial Crime

Best Practices: Reducing the Risks of Corporate Account Takeovers

Financial Safety. Protection so you can focus on what matters most

Enhanced Security for Online Banking

Online Cash Manager Security Guide

NATIONAL CYBER SECURITY AWARENESS MONTH

Tips for Banking Online Safely

Protecting Yourself from Identity Theft

location of optional horizontal pic Corporate and Investment Banking Business Online Information Security

PROTECTING YOURSELF FROM IDENTITY THEFT. The Office of the Attorney General of Maryland Identity Theft Unit

SPEAR PHISHING TESTING METHODOLOGY

Learn to protect yourself from Identity Theft. First National Bank can help.

ACH AND WIRE FRAUD LOSSES

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

A Gu i d e f o r Bu y e r s a n d

I know what is identity theft but how do I know if mine has been stolen?

Retail/Consumer Client. Internet Banking Awareness and Education Program

Fighting ACH fraud: An industry perspective

Public Advisory: Special Report on COUNTERFEIT CHECKS AND MONEY ORDERS

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

Identity Theft, Fraud & You. Prepare. Protect. Prevent.

BANKOH BUSINESS CONNECTIONS WIRE TRANSFER GUIDE

8765 CA_ScamBroc 10/10/11 10:45 AM Page 1

Avoid completing forms in messages that ask for personal financial information.

Guide to Preventing Social Engineering Fraud

Cybersecurity: Is Your Company Prepared?

INTERNET BANKING SYSTEM AGREEMENT

IdentityTheft HOW IDENTITY THEFT HAPPENS PROTECTING YOURSELF RECOVERING FROM IDENTITY THEFT

FFIEC CONSUMER GUIDANCE

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Frequently Asked Questions. OPM Data Breach. Department of the Navy

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Foreign Currency Account & Foreign Currency Term Deposit Terms and Conditions Effective 1 April 2015

PBX Fraud Educational Information for PBX Customers

Identity Theft. Protecting Yourself and Your Identity. Course objectives learn about:

How To Use Salesforce Identity Features

Payment Fraud and Risk Management

A Guide to Protecting Yourself From Identity Theft

Deterring Identity Theft. The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year.

NCUA LETTER TO CREDIT UNIONS

Our FAQ s will help you find answers to many basic Online Banking questions. Choose a category below:

Fraud Trends. HSBCnet Online Security Controls PUBLIC

Spear Phishing Attacks Why They are Successful and How to Stop Them

Electronic approvals for forms

Two-Factor Authentication: Guide to FEXCO CFX SMS/APP Verification

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Corporate Internet Banking. Authorization Worksheets

Follow these easy steps to apply for an account by mail:

Gladiator NetTeller Enterprise Security Monitoring Online Fraud Detection INFORMATION SECURITY & RISK MANAGEMENT

OVERVIEW. 1. Cyber Crime Unit organization. 2. Legal framework. 3. Identity theft modus operandi. 4. How to avoid online identity theft

IDENTITY THEFT: MINIMIZING YOUR RISK

How To Protect Your Online Banking From Fraud

Preventing, Insuring, and Surviving Fund Transfer Fraud... and Other Cyber Attacks

What are the common online dangers?

INTRODUCTION. Identity Theft Crime Victim Assistance Kit

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

Top Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC.

Malware & Botnets. Botnets

Best Practices Guide to Electronic Banking

Chase QuickPay SM FAQs

How s are sent from Xero

Don t Fall Victim to Cybercrime:

Protecting your business from fraud

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

Transcription:

DOMAINS IN DISGUISE FAKE DOMAIN WIRE-TRANSFER SCHEME istock/thinkstock Using a classic phishing scheme, fraudsters are taking control of company email accounts to initiate wire transfers from unsuspecting employees. We show how crooks lure victims into their traps and how you can protect your clients. BY ANTHONY VALENTI, CFE, CAMS; AND STEPHEN KORINKO, CFE, CAMS, CPP

Domains in disguise Anew controller, Sam, reported for work at ABC Tire Company. He was anxious to prove that his employer had hired the right person. In his first week, he received an email from the company CEO with the instructions, Process a wire of $205,250.29 ASAP to the below account information. Code it to professional services. Send me the confirmation when completed., Gary, CEO. istock/thinkstock Sam promptly followed his CEO s instructions and completed the wire. When he approached the CEO the following day, he smiled and said, Sir, I took care of that wire transfer you requested. The CEO responded, What wire transfer? To his horror, Sam realized he d been a victim of an Internet fraud scheme. The email had come from a fake, cleverly disguised corporate domain. This scenario describes a crime that s occurring in all types of international organizations. Our company first began receiving reports in spring of 2014 about a scheme that tricked companies into fraudulently wiring funds to vendors with overseas bank accounts. It first appeared to resemble a standard phishing attack. [Cybercriminals use emails to phish for personally identifiable sensitive information (PII) such as usernames and passwords. A legitimate-looking email requests the recipient to click a link and log in. The victim enters PII onto the site and the phish is speared.] However, we soon found that the scheme had three unique traits: 1) It used a fake email domain intentionally designed to fool the recipient into thinking it came from his or her company. 2) The victim companies, rather than the banks, suffered the full loss of the funds. 3) It had an alarmingly high success rate a sure sign that it will be a growing trend. In this fraud, a company s accounting personnel receives an email from a senior executive in the company who requests that they wire funds to an overseas bank account supposedly for a new vendor only to find out after the transaction that the email was forged. As the reports started pouring in from our clients, the U.S. Secret Service confirmed that a wire transfer scheme using fake email domains and exhibiting the three unique traits listed above was becoming widespread throughout the country. According to our investigation, the fraudsters: Knew the executive and staffer in the organization who were responsible for transferring funds by wire. Appeared to know the wire transfer limits of those targeted in the organization. Had access to the email inboxes, calendars and voice messaging systems of those responsible for transferring funds by wire. Used similar language in the emails requesting funds transfers (except for amounts and banking instructions to complete the transfer of funds). Requested funds be wired to first-time vendors. Initially, the details of this scheme and the high success rate suggested that insiders were assisting the fraudsters. In each case we reviewed, the fraudsters appeared to have proprietary information uniquely available to the company s 262 FRAUD MAGAZINE MARCH/APRIL 2015 FRAUD-MAGAZINE.COM 2015 Association of Certified Fraud Examiners, Inc.

executives, their assistants and accounting staffers. However, we discovered that the fraudsters didn t need any inside help. They had insidiously penetrated client systems by covertly reading emails between executives and employees. Via phishing attacks or social engineering, the fraudsters identified those responsible for transfers, their funding limitations, corporate accounting expense recordings and bank protocols relating to wire transfer requests. The fraudsters waited for the optimum time to email the unassuming accounting staffer in an executive s name to request the wire transfer. (The best time was when the party who could order the transfer was traveling or otherwise difficult to reach or unavailable but not the functionary who made the transfer request based on the phony email.) They typically used a fake domain usually obtained from a foreign vendor that was very similar to the company s actual domain so that it wasn t suspicious to the recipient, and the executive they were impersonating didn t detect the email. The fraudsters had the payment initially directed to a non-u.s. bank account and then redirected the funds several times until the money reached a bank located in a known tax haven, which made retrieval and/or prosecution difficult, if not impossible. Recent cases have seen funds end up in U.S. accounts as well. Successful fraudsters emptied the accounts within hours to days after the wire transfers, so the only way for victim companies to retrieve the funds was to quickly recall the transfers or freeze accounts. Once the transfers were complete, so were the financial losses to the companies, while the banks remained unscathed. Prevention is the only true protection: Strong vendor protocols, financial controls and staff communication and training are essential to thwarting these fraudsters. GETTING INSIDE For many of the victimized companies, it s often a mystery how fraudsters targeted their business, identified the decision makers and gained access. However, simple searches on social media sites will often supply names, titles and responsibilities of current and former employees of targeted companies from C-suite executives to functionaries in accounts payable departments. When social media is unhelpful, those fraudsters who are expert social engineers will call employees to obtain the identities of their targets. We ve even seen successful schemes in which unsophisticated accounting employees have given out sensitive business information such as wire transfer protocols, bank account details and passwords to fraudsters posing as legitimate third parties. Fraudsters then will initiate phishing attacks hoping just one staffer will be induced to provide the access that sets the scheme in motion. An early iteration of the scheme used a phishing attack with a fake Google Docs website to capture corporate email logins from targeted employees of victim companies usually staffers in the accounting department. (See Figure 1 below.) Recent attacks have leveraged the ability to host the website on Google s hosting platform, so the URL seems legitimate, and the web page is a near-perfect replica of Google s login page. When the employee enters companyprovided email credentials into the web form and clicks View Document, the phishing website redirects the employee to a page that claims the document can t be found. But now the employee s credentials have been sent to the fraudster who then uses them to log into the email account. Spending just a short time in employees email accounts enables the fraudster to gather the information he needs to execute the fraudulent wire transfer requests. Armed with the necessary information and access, the fraudster patiently monitors the executive s email account and waits for the optimum time to execute the fraud. The fraudster, who has complete Figure 1: Sample phishing Google Docs webpage. Note login request and non- Google domain. 2015 Association of Certified Fraud Examiners, Inc. FRAUD-MAGAZINE.COM MARCH/APRIL 2015 FRAUD MAGAZINE 273

Domains in disguise From: executive@fakedomain1.com Sent: Mon, May 19, 2014 at 10:01 AM Name - please wire $35,500.00 to our clients XXXX bank account details below today. This is to pay an approved invoice to XXXX [Fraudsters ABA route transit number, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. From: executive@fakedomain2.com Sent: Tue, May 27, 2014 at 11:07 AM Name - please wire $45,200.00 to our clients XXXXX account details below today. This is to pay an approved invoice to XXXX, you can do it online. [Fraudsters ABA, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. From: executive@fakedomain3.com Sent: Wednesday, May 28, 2014 1:17 PM Subject: Fwd: Wiring Instructions [Fraudsters ABA, Bank Account and Beneficiary Information] Process a wire of $257,146.29 to the attached account information ASAP. Code it to Professional Services. Send me the confirmation when completed., Tue, Jun 10, 2014 at 12:54 PM From: executive@fakedomain4.com Cc: xxxxxx@gmail.com, yyyyyy@gmail.com, zzzzzz@pmcupa.com Name - please wire $61,000.00 to our clients XXXX account details below today. This is to pay an approved invoice to XXXX. [Fraudsters ABA, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. From: executive@fakedomain5.com Sent: Friday, June 13, 2014 3:25 PM Subject: Fwd: Wiring Instructions Attachments: [reflects Fraudsters ABA, Bank Account and Beneficiary Information] Name: Process a wire of $82,050 to the attached account information. Code it to Misc. expense and Send me confirmation when completed. I ll forward support later on. Figure 2: Fake domain wire transfer scheme sample fraudulent emails control of that account, can permanently delete emails or create mailbox rules to redirect any replies from recipients to the trash or archives. In some cases, the fraudster appears to wait until the executive is traveling or otherwise difficult to reach to execute the scheme. Apparently, he does this to thwart bank protocols, including the routine call-back protocol that requires verbal authorization from the executive with ultimate responsibility for the funds transfer. Our company investigated two instances in which the fraudsters had apparent control of the executives systems and knowledge of bank call-back protocols when they attempted to execute the schemes. In one case, a client reported that the bank had called the executive while he was traveling and left a voice message requesting authorization to execute the transfer of funds. The fraudsters had access to the executive s voice messaging system and intercepted the message. One of the fraudsters impersonated the executive and subsequently wrote an email from the executive s email box acknowledging receipt of the voice message. The fraudster, in the guise of the executive, informed the bank representative that he couldn t return the call but he confirmed the wire instructions, which the bank dutifully performed. Another client reported a similar attempt that was unsuccessful because an employee followed an internal control. EXECUTING THE FRAUD Regardless of how fraudsters gained access to a company s systems, they always used a fake domain typically purchased from New Zealand or India. Because the fraudsters acquired the domain through overseas vendors, it was highly unlikely that private parties or U.S. law enforcement could ID the fraudster. First, investigating those vendors can be 284 FRAUD MAGAZINE MARCH/APRIL 2015 FRAUD-MAGAZINE.COM 2015 Association of Certified Fraud Examiners, Inc.

cost-prohibitive. Second, due to foreign privacy laws, vendors might not be required to verify the purchaser is a real person or entity, and there s no guarantee that the foreign court would recognize U.S. civil or criminal processes and require disclosure of the domain purchaser. The fraudsters created domains nearly identical to the real domains of the target companies. In the ABC Tire Company example, the domain for the fake domain could, for instance, have an extra i in the word Tire (JSmith@ ABCTiire.com; instead of JSmith@ABC- Tire.com). Normally, if a fraudster carefully executes the rest of the email, the victim won t notice the false domain. In all the different reports we examined the emails requesting the fraudulent wire transfer of funds used a similar, simple format with particular language engineered to trick the email target. Figure 2 (on page 28) provides five actual, sanitized examples of emails used in either attempted or successful frauds using fake domains. The emails use urgent language from the authorized executive along with specific and familiar expense codes ( Misc or Professional Services ), which place pressure on employees to expedite the wire transfer. While it seems hard to believe, employees in multiple companies prepared wire transfers to new, first-time vendors, which is arguably the biggest red flag in the scheme. In one instance, the employee wired the funds to an overseas account a first for the victim company to a first-time vendor. Thus, the employee failed to recognize two bright red flags: the new vendor and the company s first international transfer of funds. GETTING THE MONEY Another unique aspect of this scheme was that the fraudsters didn t need the company s banking information to execute it. If the fraudsters were successful, they learned the company s bank and account information from the receiving bank, which possibly led to more theft. Fraudsters will open bank accounts with small deposits seven to 10 days prior to attempts to execute frauds. In most early instances of the scheme we saw, fraudsters left instructions at the receiving banks to transfer the funds to international accounts in countries without an extradition treaty with the U.S. More recently, fraudsters have directed funds to accounts at U.S. banks. In one case, the fraudster transferred funds from a foreign victim (Canadian) to a Miami bank. The fraudster then had the bank transfer a substantial portion of the deposited funds to a personal account in the same bank and withdrew $50,000 in currency before leaving the bank. Remarkably, bank officials weren t suspicious of the customer who within days of opening an account with a $50 cash deposit was withdrawing $50,000 in currency. (The fraudsters use of a U.S. bank suggests that in some iterations of the fraud they now use straw men to open and empty accounts a significant and less sophisticated mutation of the original scheme.) In another U.S. example, the fraudster requested the victim entity to transfer funds to the account of a legitimate yacht broker from whom the fraudster planned to purchase a small yacht. However, the victim company became suspicious of the wire transfer request prior to its authorization. Fraudsters who use U.S. banks and middlemen potentially increase their risk of being caught, but they gain access to the funds more quickly. Additionally, unlike other fraud schemes (counterfeit checks, credit card fraud, identity theft), in which banks typically incur financial losses, the fraudsters in this scheme have rightfully concluded that banks are extremely reluctant to question transactions in which they have no loss exposure. WHAT CAN VICTIMS DO? Once the wire transfer is complete, it s nearly impossible to reverse it if the fraud isn t detected almost immediately. And because the bank doesn t suffer any loss as long as it follows proper procedures, it won t freeze an account or return funds unless it s notified of the fraud. The only hope to recovering funds is a quick response. A victim company must react by notifying its bank s fraud unit and requesting the immediate recall of the wire transfer or freeze accounts with balances. Bank protocols permit the freezing of accounts where funds from suspected fraudulent activity have been deposited. The victim company s insurance company might require it to file complaints with local and federal law enforcement, FBI and/or Secret Service, which it should do regardless. As first-responder investigators, we also advise companies to review past transfers to spot other possible fraudulent wires. PROTECT YOURSELF AND YOUR CLIENTS Fraudsters typically target mid- to largesize companies because they routinely transfer hundreds of thousands of dollars to third parties that are unfamiliar to accounting staffers. However, smaller companies aren t immune; a significant loss may severely impact their ability to continue operations. The first prevention step is to review wire transfer protocols, both internally and with the bank. Companies must insist that banks have call-back protocols and adhere to them regardless of how difficult it might be to reach the designated officials. 2015 Association of Certified Fraud Examiners, Inc. FRAUD-MAGAZINE.COM MARCH/APRIL 2015 FRAUD MAGAZINE 295

Domains in disguise Internally, companies need to review their controls relating to payments and wire transfers and consider a higher level of authorization for disbursements to first-time vendors. For example, designate an official who owns each vendor and require that accounting staff member to contact the appropriate official before transferring funds. Companies also need to arm against phishing attacks and social engineering. The best defense is education and training to help employees recognize these techniques. Companies that use or allow Google Docs or Gmail should enable Google s 2-Step verification, also known as twofactor authentication, to prevent an outside party from logging into Google without a requisite authenticator token. However, while a successful attack using Google 2-Step login code hasn t been reported, fraudsters often change tactics as defenses evolve. A higher barrier to prevent unauthorized access into Google Apps is the use of a third-party SSO (single sign-on) or SAML (security assertion markup language) provider, such as Ping Identity and Centrify. These services allow for a much stronger login system into Google applications because they restrict login based on location, device and tokens. They also allow the login portal to be customized, which makes it difficult for an attacker to anticipate and mimic on their phishing page. No one is safe. Fraudsters have successfully targeted all types of companies. The more successful they are, the more the scheme is likely to grow. Review your vendor protocols, financial controls and compliance policies. Most importantly, regularly train and encourage employees to recognize red flags and question suspicious requests. An employee who senses something is wrong is usually right. n FM Anthony Valenti, CFE, CAMS, is managing director of Stroz Friedberg, LLC, which specializes in investigations, intelligence and risk services. His email address is: avalenti@strozfriedberg.com. Stephen Korinko, CFE, CAMS, CPP, is vice president of Stroz Friedberg, LLC. His email address is: skorinko@strozfriedberg.com. The authors wish to thank Daniel Blank, digital forensic examiner, at Stroz Friedberg. Reprinted from the March/April 2015 issue of Fraud Magazine, Vol. 30, No. 2. 2015 Association of Certified Fraud Examiners, Inc. ACFE, CFE, Certified Fraud Examiner, Fraud Magazine, Association of Certified Fraud Examiners and related trademarks, names and logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world. 306 FRAUD MAGAZINE MARCH/APRIL 2015 FRAUD-MAGAZINE.COM 2015 Association of Certified Fraud Examiners, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information