WARNING!
Watch Out For This Money Wire Transfer Scam
IT’S HAPPENING RIGHT NOW!

This scam threatened two of our clients in one day, so we have decided to make sure people are informed.

In both cases a top level executive’s email was hacked while they were out of town and a fraudulent email was sent to an unsuspecting colleague with access to company money. The email read, “What would you need to know to send a wire transfer for me?”

The office person emailed back and forth between the hacker and themselves, thinking they were communicating with their colleague, until they were convinced to send money by wire transfer to a bogus account. In one case the money was to be wired to an elderly woman’s account. (There are many people who are scammed into having a bank account that will automatically transfer funds to other accounts, “money mules” for hackers.)

Our clients are not alone. The networking firm Ubiquiti Networks, Inc. recently lost $46M in a similar heist. You can read about that at: https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/ . According to the Internet Crime Complaint Center (ic3), as of January 22, 2015 there were 1198 victims of this crime in the U.S. alone (and those were only the ones who actually reported it.)

Don’t be a victim of this scam! In both cases there was a lot of money at stake. In both cases our clients thought the email sent to them was a legitimate request and that they were communicating with people in their company. Cyber criminals are getting very good at this.

Arm yourself! The Internet Crime Complaint Center (ic3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) that works with different law enforcement agencies battling Internet crime. You can read all about ic3 at https://www.ic3.gov.

Here are five suggestions from ic3 to help protect your business:

  • Avoid Free Web-Based E-mail: Establish a company web site domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
  • Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Consider additional IT and Financial security procedures and 2-step verification processes. For example -
    • Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
    • Digital Signatures: Both entities on either side of transactions should use digital signatures. However, this will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
    • Delete Spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
    • Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
  • Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.

[Be Aware, the FDIC does not insure business bank accounts against acts of cybercrime. You should have the discussion with your bank about what their procedures are if your bank account gets compromised. If you find out your account has been hacked, or some type of bank transaction is fraudulent, notify your bank immediately! The sooner your bank knows about a problem, the more likely they will be able to fight it for you.]

The following are resources you may be interested in to get more information:

https://securityledger.com/2015/03/wire-transfer-scam-shows-assertiveness-works-with-phishing-too/

https://www.ic3.gov

https://www.fbi.gov/

https://www.nw3c.org/

As always, if you need help with any of your IT questions, please call us at 615-206-4146.