On Monday, the Department of Justice issued a notice that 74 individuals have been arrested in connection with phishing schemes primarily aimed at intercepting and hijacking wire transfers.
Of the 74 arrests, 42 were U.S. citizens, 29 from Nigeria, and 3 in Canada, Mauritius and Poland. The arrests also included the seizure of about $2.4 million and the recovery of about $14 million in fraudulent wire transfers.
We’ve seen this before. Fraudsters purport to be somebody they’re not. This typically happens using an email account that was compromised. Then, the fraudster works to convince the victim to wire funds to a fraudulent account. Once the funds are wired, it’s very difficult to reverse the direction of the money.
There are several ways to reduce the likelihood of this happening to your organization:
- Implement policies and procedures for wire transfers that enforce “separation of duties”. This is a core security concept that requires more than one person to complete a given task.
- Train your users. Emails involving wire transfer requests and encouraging a user to “act now” or “trust me” should not be trusted. Emails containing words that a used car salesman would be heard saying are meant to put pressure on the recipient to act without thinking.
- Implement multi-factor authentication for all online accounts, particularly email. If your organization uses MFA, it’s highly unlikely that email accounts will become compromised and thus won’t be usable in certain phishing schemes.
According to the DoJ, “A number of cases involved international criminal organizations that defrauded small to large sized businesses, while others involved individual victims who transferred high dollar funds or sensitive records in the course of business. The devastating effects these cases have on victims and victim companies, affect not only the individual business but also the global economy. Since the Internet Crime Complaint Center (IC3) began keeping track of BEC and its variant, Email Account Compromise (EAC), as a complaint category, there has been a loss of over $3.7 billion reported to the IC3.”
Notice that the victims are small and large businesses and individuals. The sentiment that “I’m too small of a target” is a false one. The bad guys will take your money regardless of your vertical, company size, or any other characteristic. It’s important to take the three steps outlined above to protect your business. Need help? Cyberstone and our channel partners can help.