Your System is Compromised
The FBI calls this caper the Business Email Compromise (BEC). It comes in multiple flavors, but let’s start with the one that can hijack your money while it’s in transit.
The scam is carried out by compromising a legitimate email account by computer intrusion or social engineering. Their goal is to redirect funds to their accounts.
This version of BEC takes phishing to a new level. Bad actors target specific users in the company who authorize and/or make fund transfers. They may start with a phishing email where the payload is a keystroke logger. An insider could also be targeted via social engineering. Simply put, social engineering is peer pressure for adults. Social engineering is place on social media channels, encouraging and rationalizing hacks, or offering cash and tech. Social engineers in this scenario are interested in crypto wallets. Fund transfer processes often utilize these wallets and gaining access to a company’s crypto wallet is a coup.
Deep Fake Zoom
Virtual meetings became standard communications ops during the Pandemic. With everyone working remotely, even leadership, it was the simplest and most productive tool for getting things done. But the meetings had little to no security – a single link was shared with all attendees. Anyone who wanted to hop on a meeting could – no credentials required.
That opened the door for black hats and other bad actors to get creative. They looked for meeting about fund transfers, learned the authorizing hierarchy and captured video of decision-makers. It was spoofing genius actually. They digitally altered the hacked video and created reusable deep fakes for authorizing fund transfers.
Sometimes people (believing they were in a private/safe space) would share logins or put an authentication key in the meeting’s chat. With company email addresses in hand, hackers could send out fake meeting invites and use the deep fakes for unauthorized transfers or simply change the destination of the payment.
Crypto is Key to the Scam
There’s been much discussion about blockchain technology as an immutable transaction ledger. It’s private to parties in a deal, The payments are made in crypto coinage and managed by crypto wallets.
Crypto wallets are associated with a user name and public authentication key. They don’t actually hold any currency – what they have is the key to the kingdom – private keys that allow the account to be accessed. Think of the private keys as your brick-and-mortar bank numbers and your user name as the permission to use them. That’s all you need to access someone else’s account and move money between wallets.
Stealing Billions
These fund transfer scams were reported by victims between October 2013 and July 2019:
Total U.S. victims: 69,384
Total U.S. exposed dollar loss: $10,135,319,091.00
These statistics were reported by victims between October 2016 and July 2019:
Total U.S. financial recipients: 32,367
Total U.S. financial recipient exposed dollar loss: $3,543,308,220.00
You can see from the reduction in complaints that system security has improved. Still, $3.5B in losses is no small chunk of change.
Deep Fakes
When a scam is successful it becomes a model that can be replicated, you can bet hackers want to replicate it. Think you’d never fall for a deepfake…?
Pay Attention to Payroll
HR or payroll representatives received emails appearing to be from employees requesting to update their direct deposit information for the current pay period. This is different from the payroll diversion scheme in which the subject gains access to an employee’s direct deposit account and alters the routing to another account. The new direct deposit information provided to HR or payroll representatives generally leads to a pre-paid card account.
There is a growing number of complaints about the diversion of payroll accounts. Employees in the department receive spoofed emails that claim to be from an employee who needs to make a change in their direct deposit information. In a typical example, HR or payroll reps receive emails from “employees” requesting to update their direct deposit information for the current pay period. The new direct deposit information is sent to HR or Payroll generally leads to a pre-paid card account.
The payroll department receives spoofed emails appearing to be from an employee requesting a change to their direct deposit account. This is different from the payroll diversion scheme in which the subject gains access to an employee’s direct deposit account and alters the routing to another account
In a typical example, HR or payroll representatives received emails appearing to be from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information provided to HR or payroll representatives generally leads to a pre-paid card account.
Sometimes employees will receive phishing emails prior to requests for changes to direct deposit accounts. Multiple employees receive the same email that contains a spoofed log-in page for an email host. This makes the direct deposit requests appear legitimate. Employees enter their usernames and passwords on the spoofed log-in page, which allows the subject to gather and use employee credentials to access the employees’ personal information.
Replicating what works
Deepfakes were used over the holidays to steal money from companies trying to give food to families in need. A fraudster used an AI voice cloning to convince a bank manager to transfer an unauthorized $35M.
Deepfakes and email scams are taking identity theft to the next level. Using the same techniques as fund transfer scams, bad actors request private information. The meetings would ask for updated W-2s with an updated social security number. Once that data is collected it’s sold on the dark web.
Hackers will work to get insurance records and any type of medical data is very valuable online. Employers manage a lot of personal data – financial, personal and medical. Imagine your boss telling you to send an insurance claim up to his/her office – are you going to say No?
Deep fake scammers are betting you won’t.
Basic Protection
One thing to consider is to review the authorization structure for initiating and approving fund transfers. These are the people who are featured in deep fakes and whose voices get cloned via AI. If the company can find a way to validate their presence in a meeting or a phone call to their second-in-command – it might prevent some illicit transfers.
- Require two-factor authentication to verify requests for changes in bank or crypto account information.
- Regularly communicate to employees that PII will never be requested via email or over the phone. Automate the email to new employees and resend company-wide at least every quarter.
- Set protocols that can automatically stop transfers to cryptocurrency sites or wallets.
- These scams target the emails of decision-makers. Limit the roles that can approve fund transfers and require multiple people to sign off. Keep their names/email addresses as private as possible.
- Block every employee’s access to personal email and social media accounts on company systems.
- Review BYOD policies. Do not allow fund transfers to be initiated from a home computer or personal cell phone.
- Look carefully at the URL on every link, especially for virtual meetings – spoofers can’t replicate it exactly.