Biz Email Fraud Could Hit $1 BillionFighting New Wire Fraud Method Now a Top Priority for Banks
Wire fraud perpetrated via business email compromises has quickly become a top concern for banking institutions. David Pollino, bank fraud prevention officer at Bank of the West, now predicts wire fraud losses in the U.S. linked to such "masquerading" schemes could exceed $1 billion this year.
See Also: How to Defend Your Attack Surface
In fact, the losses from these emerging schemes could be higher than any wire and ACH losses linked to account takeovers, he says.
"Traditionally, whether it was phishing or malware, you saw the criminals getting the username and password and then executing the transaction or takeover of the victim's computer to wage the attack," Pollino says. "With these new attacks, we see the actual compromise of the business. The victims are fooled into the legitimacy of the wire transfer."
A Socially Engineered Scheme
Masquerading schemes do not involve malware or an account takeover. Instead, attackers use socially engineered schemes that are designed to fool a business's accounting or administrative staff into scheduling an urgent wire transfer they believe has been requested by the CEO or other corporate executive, Pollino explains.
These attacks, waged against a banking institution's commercial customers, may involve a spear-phishing attack to take over a corporate executive's legitimate email account, or the creation of a similar domain so that fraudulent emails sent appear, at a glance, to be legitimate, he says.
"In a masquerading attack, hackers impersonate someone you or your business knows, such as the CEO or CFO or a vendor the company does business with," Pollino writes in a blog about this emerging scheme. "The hackers phone or email someone in the company - for example, the controller - requesting a wire transfer. The controller, believing the email or phone call is legitimate, then contacts the bank to request the wire transfer."
While most institutions require out-of-band authentication, such as callbacks, to confirm wire transfers, "the controller or someone else with financial authority will insist the wire transfer request is legitimate and will verbally authorize the bank to proceed," Pollino says. "Once the transfer goes through, it is very difficult to recoup the stolen money."
And it's not just a U.S. problem. "This is a global fraud trend," he adds.
The Federal Bureau of Investigation first issued an alert about so-called business email compromises back in June 2014. In January, the FBI issued an update, noting that business email compromises had been reported in every U.S. state, as well as 45 countries.
The FBI estimated fraud losses tied to business email compromises totaled $214 million globally from October 2013 through November 2014.
Julie Conroy, a financial fraud analyst with the consultancy Aite, says many banking institutions believe that estimate is far too low.
"While many financial institutions said that their transactional analytics catch many of these on the back-end, they said many of the attempts still slip through because the criminals are purposely structuring the dollar amounts to fall below the radar - $40,000 here, $70,000 there. So most of the FIs I spoke with said that they are seeing millions of dollars in losses hit their business customers," Conroy says. "This is an escalating problem."
An 'Acute' Problem
Patrick Peterson, CEO of online security firm Agari, says wire fraud linked to business email compromise is an "acute" problem for businesses and banking institutions.
"At Agari, we talk to banks all the time and can categorically report that BEC [business e-mail compromise] is an absolute top priority," he says.
Peterson says all of the banking executives he met with at the recent Financial Services Information Sharing and Analysis Center and BIT's Annual Summit said they were aggressively monitoring business email compromises.
"The challenge is that our arsenal is weak," he adds.
Most businesses have no mechanisms in place to flag fraudulent emails sent to employees that claim to be from an executive within the company or a bank, Peterson claims.
He also notes that there is nothing fancy about the latest business email compromise attacks. "BEC has no attachment, no URL; just a plain-text email request to initiate a wire," Peterson says. "Sandboxing, Web security and anti-spam is useless. I have yet to see a bank [or business] with an approach that will be effective."
Pollino says, however, that these attacks are well designed to psychologically confuse the email recipient.
"When you think about the core of this attack, it is a social engineering attack," Pollino says. "You'll see that they are highly sophisticated from a social engineering perspective. The emails are very convincing."
This is why businesses need to have tools in place to ensure they can review and authenticate these transactions before they submit the wire transfer request to their bank or credit union, he adds. What's more, banking institutions need to have additional measures in place, such as a multi-person approval process, to ensure wire-transfer requests are legitimate before they are approved, he adds.
"Financial institutions should be educating their customers, and they should do callbacks and modify their [callback] scripts to ensure that they are pointing out the current fraud trends, such as red flags that go up when an urgent or quick transaction is requested," Pollino says.
A Risk That Can be Controlled
Bill Nelson, president and CEO of FS-ISAC, says banking institutions that implement additional transaction-verification strategies can reduce their business customers' fraud risks. "Banks are helping their business customers by monitoring activity and delaying wires in order to give business customers enough time to confirm the legitimacy of the wire instructions before they are released," he says.
But Nelson portrays fraud related to business email compromises as "a very controllable risk." He notes: "Companies' treasury management and accounts payable staff need to become more aware of this threat and institute controls to prevent bogus payments from being made. ... The FBI has done a good job of creating initial awareness about the schemes being employed and how to detect and prevent losses. There will be more educational material coming out in the next few weeks and months from law enforcement, FS-ISAC and others."