CYBERSECURITY ALERT

Companies around the world are seeing the resurgence of an old scam: wire transfer phishing attacks that trick employees into wiring money from company bank accounts to criminals’ bank accounts.

Over the past several months, many companies have lost millions of dollars to such relatively simple attacks. The funds are almost never recovered.

The people behind these attacks are not sophisticated cybercriminals. The attacks usually involve no malware, intrusions, vulnerability exploits or even password compromises. Rather, the attackers employ elaborate social engineering tactics and deceptive email domain names that can dupe even savvy, wary employees into sending the criminals money from the company coffers.

Fortunately, organizations can significantly reduce the likelihood of financial loss and business impact by educating their users, adopting simple procedures and even implementing certain low-tech measures. A few simple steps could save your organization from being scammed out of millions.

A TYPICAL LEGITIMATE WIRE TRANSFER PROCESS

For security purposes:

• Onlyoneemployee(theDesignatedEmployee)isdesignated to request outbound wire transfers from the bank.

• Onlyoneexecutiveisdesignatedtoapproveordirectoutboundwiretransfers(DesignatedExecutive).

• TheDesignatedEmployeeonlyrequeststhebanktoinitiate outbound wire transfers following receipt of aphonecalloremailfromtheDesignatedExecutiveauthorizing or directing a wire transfer.

• Thecompany’sbankonlyinitiatesoutboundwiretransfersatthedirectionoftheoneDesignatedEmployee,whomustcontactthebankbyphoneorviathe company’s secure online banking portal.

By Tara Swaminatha and Christopher Scott*

WIRE TRANSFER PHISHING – AN OLD SCAM RETURNS: SIMPLE STEPS TO PROTECT YOUR ORGANIZATION

SEPTEMBER 2015

1 | CYBERSECURITY ALERT

* Christopher Scott is Director of Remediation at CrowdStrike.

A TYPICAL WIRE TRANSFER PHISHING ATTACK

• Theorganization’slegitimateemaildomainis@company.com.

• Theattackerregistersdomainnamesdeceptivelysimilartotheorganization’s(forinstance,@conpany.com,@cornpany.com,@cmpany.com).

• TheattackerlearnsthenamesoftheDesignatedExecutiveandDesignatedEmployeethroughsocialengineering or online research.

• TheattackersendsanemailpurportingtobefromtheDesignatedExecutive,usingadeceptivelysimilaremail domain.

• TheDesignatedEmployeereceivesthisemailandseesthatitisfrom“DesignatedExecutive”<Designated.Executive@conpany.com>directingtheDesignatedEmployeetohave$1millionwiredtoaccountnumber123456789.

• TheDesignatedEmployee,followingprocedure,checkstoseethattheemailcamefrom“DesignatedExecutive.”

• ButtheDesignatedEmployeefailstonoticethemisspelling in the email domain @conpany.com, mistaking it for a legitimate company email address.

• TheDesignatedEmployeelogsintotheonlinebankingportal account and requests an outbound wire transfer for$1milliontoaccountnumber123456789.

• Thebank,followingprocedure,checkstoconfirmthat the request for the wire transfer did come from theDesignatedEmployee’saccountontheonlinebanking portal.

• Thebankwires$1milliontoaccountnumber123456789.

• Meanwhile,theactualDesignatedExecutivehasnoknowledge of this wire transfer.

In the vast majority of instances of this scam, the receiving account is outside the US, and the funds are almost impossible to recover.

The bank is not responsible because it followed procedures andtheDesignatedEmployeewas,infact,thepersonwhocontacted the bank to request the transfer.

WHAT YOU CAN DO TO SAFEGUARD AGAINST THESE ATTACKS

By implementing a few simple non-technical measures, organizations can dramatically reduce the likelihood of falling victim to a wire transfer phishing attack. We also offer technical solutions below that can provide additional protection.

NON-TECHNICAL PROTECTIVE MEASURES

1. Educate employees who handle wire transfers. Organizations should provide training about the risk of falling victim to a wire fraud phishing scheme to all employees who handle wire transfers. These employees should be trained to scrutinize emails from executives who authorize transfers to ensure their validity.Employeesshouldinspectboththe“From”field and the body of the email:

• Inthe“From”field,donotrelyontheemail sender’s alias; inspect the full domain name following the @ symbol in thesender’semailaddress(forinstance,GeorgeWashington@bogusemaildomain.com).You may have to mouse over or double-click on the alias to see the sender’s full email address. The full email address can also be spoofed, so we recommend looking at the body of the email as well.

• Inthebodyoftheemail,considerwhetherthemessage is written in the designated executive’s style. Look for anomalies, such as odd misspellings, awkward phrases, an unusual tone, a receiving bank account in an unexpected country ormissingcomponents(forinstance,thedesignatedexecutivealwayscloseswith“BestRegards,”whiletheemailyouarescrutinizinghasnoclosing).

2. Confirm via phone call. When in doubt, employees should confirm wire transfer requests by phone using the executive’s phone number in the corporate directory and not from the signature in a suspicious email. Attackers may include phone numbers in a signature and will staff that phone number in hopes that an employee will call to confirm the request by phone.

2 | CYBERSECURITY ALERT

3. Plan for vacations. WhentheDesignatedExecutivesorDesignatedEmployeesareoutoftheoffice,theirproxies should be trained on the wire transfer protocol and methods for determining whether a wire transfer request or authorization is legitimate.

4. Establish two-part verification procedures with your bank. Organizations should ask their banks to confirm all wire transfer requests that exceed a certain dollar amount via a phone call to the organization’s CFO(orotherexecutiveordesignee).

TECHNICAL PROTECTIVE MEASURES

Include a header on inbound emails from external domains – Organizations can put a script on their Exchangeorothermailserverthataddsaheadertothe text of all incoming emails from external domains, suchas“FromExternalDomain.”Theemailserverwill recognize the difference between @company.com and @conpany.com. At the top of the body of an incoming email from @conpany.com, a recipient would see the phrase “FROM EXTERNAL DOMAIN.”Thescriptcaneither be applied company-wide to all incoming emails or narrowly focused to apply only to emails sent to DesignatedEmployees.

Adopt a policy of encrypting wire transfer authorizations – Organizations can adopt a policy and develop the capabilities to mandate that emails be

encryptedwheneversentfromaDesignatedExecutivetoaDesignatedEmployeetoauthorizeanoutboundwiretransfer.IfanorganizationusesExchange/OutlookandS/MIME,forexample,theattackerwouldneedtohavephysicalpossessionoftheDesignatedExecutive’slaptoporother device in order to send an encrypted email from the DesignatedExecutive’saccount.TheDesignatedEmployeewould need to be trained to confirm that wire transfer authorization emails are encrypted.

Block select domains – If an organization has received fraudulent emails from a particular email domain, the IT department can block all future incoming emails from the bogus domain. IT should consider filtering emails from bogus domains to a separate area for tracking, study and potential reporting to law enforcement.

ACT NOW

If you suspect your organization has been the victim of a wire fraud or other cyberattack, you should contact the cyber divisions of such federal law enforcement agencies as the FBI or US Secret Service.

TolearnmoreabouthowDLAPiperandCrowdStrikecan assist you in understanding or responding to this or any other security concerns your organization faces, contact the authors at tara.swaminatha@dlapiper.com or christopher.scott@crowdstrike.com.

3 | CYBERSECURITY ALERT

www.dlapiper.com

Copyright © 2015 DLA Piper LLP (US).All rights reserved.This bulletin is intended as a general overview and discussion of the subjects dealt with. It is not intended, and should not be used, as a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.Circular 230 Notice: In compliance with US Treasury Regulations, please be advised that any tax advice given herein (or in any attachment) was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax penalties or (ii) promoting, marketing or recommending to another person any transaction or matter addressed herein.

ABOUT US

DLAPiperisagloballawfirmwithlawyersintheAmericas,AsiaPacific,EuropeandtheMiddleEast,positioning us to help companies with their legal needs around the world. To learn more, visit www.dlapiper.com.

FOR MORE INFORMATION

For more information about addressing cyberthreats, contact:

Tara SwaminathaT +1 202 799 4323tara.swaminatha@dlapiper.com