1 February 2019

Phishing for funds

In a recent case of cybercrime, a business email compromise scam tricked a law firm into transferring funds to fraudsters.

Social engineering scamming is a multi-billion-dollar industry, with funds transfer fraud responsible for the loss of over $12.5 billion worldwide between October 2013 and May 2018.[1]

Real estate has been identified as a growing target for funds transfer fraud, with an increase in cybercrime of 1100 per cent between 2015 and 2017.[2]

What is social engineering?

Social engineering is deceiving or manipulating people into carrying out a particular act, for example transferring money, sharing confidential information or following a malicious link.[3]  

In a recent case study by CFC, a global leader in insurance and pioneer in cyber insurance, a law firm’s employee received an email that appeared to be from Microsoft. The email said the employee’s account had been suspended and asked them to verify their account details. The email provided a link to a legitimate-looking webpage on which the employee entered their Outlook username and password. 

What the employee didn’t realise was that they had just handed over the login information for their work email account to a cybercriminal. Because the law firm didn’t have multi-factor authentication – a process that requests two or more pieces of evidence to an authenticate an account log-in – the cybercriminal was able to login to the employee’s email account remotely.

Full-access pass granted

With full access to the employee’s email account, the cybercriminal could monitor communications and gather confidential intel on clients, their real estate agents, upcoming disbursements and settlement dates. The cybercriminal then identified the most lucrative target.

Once identified, the cybercriminal set up a fake email address that looked similar to that of the agent representing a vendor. For example, if the agency’s email address was abcagents.com.au, the cybercriminal created abcagenst.com.au.

Using this fraudulent email address and drawing on information gathered from previous interactions, the cybercriminal sent the law firm an email asking for the payment to be made by wire transfer rather than by cheque, as previously agreed. To imitate authenticity, the cybercriminal copied the agent’s email signature to the fraudulent email.

Believing they were communicating with the vendor’s agent, the law firm transferred over $240,000 to the cybercriminal’s account.

Funds unrecoverable

Because many days had passed before the vendor asked the agent where the funds were and the agent contacted the law firm, the cybercriminal had ample time to withdraw the funds. 

Understandable the vendor, buyer, agent and law firm were all impacted by the disappearance of the funds, which were now irretrievable. However, because the law firm has cyber insurance, the loss was covered in full and the sale of the property could go ahead.

The key takeaways

You are not smarter that cybercriminals | These people are a sophisticated bunch. And doing you out of your money is their day job. It was previously common to see emails from a Nigerian Prince asking for your help or a bogus prize giveaway. For most people, these scams are easy to spot. But cybercriminals are now impersonating companies like Microsoft, Google and Yahoo!. Their communications replicate authentic emails so well they fool agents, lawyers and clients.

Your IT security is not enough | Many businesses think believe their IT securities are good enough and spend a lot of money protecting their networks. Strong IT security controls don’t always protect against events which don’t necessarily involve a third party accessing the network such as social engineering attacks or the actions of a rogue employee. With increasingly sophisticated attacks like the case study shown, it makes it very difficult for employees to tell the difference between a real and a fake email.

Everyone is at risk | With more and more businesses transferring money electronically, the opportunities for cybercriminals to intercept these funds is increasing. Any business that handles electronics funds is vulnerable to cyberattacks. Having a cyber policy with crime coverage protects you and your business.

Want more?

[1] Federal Bureau of Investigation, (2018, July 12). Retrieved from https://www.ic3.gov/media/2018/180712.aspx
[2] Ibid.
[3] CFC Underwriting, (2018, September 21). Retrieved from https://www.cfcunderwriting.com/media/3176?topic=1