Hackers Target Companies with Wire Transfer Fraud Scheme

Experts say executives need to be especially cautious

By Aliah D. Wright Jan 30, 2015

Since October 2014, hackers have been running two scams simultaneously.

First, they’ll hack into a company’s computer system and hold some computers hostage with ransomware. Then, while IT tries to ascertain how to fix that problem, the hackers will hijack an executive’s e-mail account and send an e-mail to an employee with access to the company’s finances to wire money for a seemingly valid business reason.

The FBI reports that companies worldwide have lost more than $215 million to this scheme.

On Jan. 22, 2015, the FBI’s Internet Crime Complaint Center (IC3) issued a warning about the fraud, which it calls the Business E-mail Compromise (BEC).

“Some victims reported being a victim of various scareware or ransomware cyber intrusions, immediately preceding a BEC scam request,” according to the alert issued by IC3, which is a partnership between the FBI and the National White Collar Crime Center.

It’s “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments,” according to the warning.

How the Dual Scam Works

“This is relatively new,” Stu Sjouwerman, founder and CEO of KnowBe4 LLC, which provides web-based security awareness training. He told SHRM Online in a telephone interview that “the FBI updated its existing alert because this is a spin-off of an existing one. … But this flavor [with the ransomware being sent first] is pretty new and the attacks have become more sophisticated over time.”

According to the IC3 alert, “victims may also first receive ‘phishing’ e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc.).”

During a ransomware attack, a ransom note appears on an employee’s computer screen informing the employee that his or her files have been locked. In order to retrieve the locked files, the employee must pay a fee, usually a few hundred dollars; the fee amount can double over the course of days or weeks. With this new dual scam, while the company’s IT team assesses how to unlock the files or debates whether to pay the ransom, another employee who usually handles money is sent a “spoofed” e-mail from what looks like a reputable source—usually a top executive—requesting money be wired for a business purpose.

The fraudulent wire transfer payments are sent to foreign banks and may be transferred several times before being quickly dispersed, according to the FBI alert. The payments usually wind up in a bank account in Asia, where the thieves withdraw the funds.

“You’ll never get that money back,” Sjouwerman said.

The IC3 said it has received complaints from victims in every state in the U.S. and from 45 countries. In all, nearly 2,000 victims have fallen for some variation of the scam since in which both corporate e-mail and personal web-based e-mail have been targeted.

Companies have lost nearly $180 million in the United States; foreign victims have lost more than $35 million.

“The FBI assesses with high confidence the number of victims and the total dollar loss will continue to increase,” the alert stated.

What HR Can Do About Phishing Attacks

“Alert your executives,” Sjouwerman said. “These scams are getting more sophisticated by the month, so be on the lookout.”

The FBI’s IC3 suggests that businesses:

  • Avoid free web-based e-mail. Establish a company website domain and use it to establish company e-mail accounts instead.
  • Share with care. Be careful with the type of information that is posted to social networking pages and company websites—especially details about employees’ duties, hierarchal information and out-of-office details.
  • Be wary of “requests for secrecy or pressure to take action quickly.”

The FBI also suggests organizations use protocols such as a two-step verification process for wire transfers.

“What I would strongly recommend is … make sure that you and your bank have very clear agreements that for any wire transfer over a few hundred dollars, there needs to be a phone verification,” Sjouwerman said. “You have to initiate the communication.”

The FBI added that organizations should arrange this second-factor authentication “early in the relationship and outside the e-mail environment to avoid interception by a hacker.”

Companies can also instruct employees to:

  • Immediately delete spam from unknown parties.
  • Refrain from opening spam, clicking on links in e-mails or opening attachments. “These often contain malware that will give subjects access to your computer system,” the alert stated.
  • Don’t use the reply option when responding to business e-mails. “Instead, use the ‘forward’ option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used,” the alert stated.
  • Be leery of sudden changes in typical business practices. “For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on company e-mail, the request could be fraudulent,” according to the IC3. “Always verify via other channels that you are still communicating with your legitimate business partner.”

Getting executives to take the threat seriously is becoming easier, Sjouwerman said, especially since he said 2014 will be forever known as “the year of the breach.”

According to the research group Ponemon Institute, 43 percent of survey respondents in 2014 said their companies had experienced a data breach, compared to 33 percent the year before.

Yet, “only 29 percent of respondents say their company’s board of directors, chairman and CEO are informed and involved in plans to deal with a possible data breach,” according to Ponemon’s second annual study on data breach preparedness, Is Your Company Ready for a Big Data Breach?

If HR professionals are struggling to get their executives to take cybersecurity more seriously, Sjouwerman suggests using business cases as examples of what could go wrong.

“You have to tell those stories, real stories that illustrate that [executives] are the people with the biggest targets on their backs and this needs to become real to them,” he said.

Aliah D. Wright is an online editor/manager for SHRM.


Job Finder

Find an HR Job Near You
Post a Job

HR Professional Development Education in a City Near You

SHRM Seminars are coming to cities across the US this fall.

Find a Seminar


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect