The cybersecurity landscape has witnessed an alarming rise in social engineering incidents in which criminals trick employees into wiring funds out of corporate accounts into the crooks’ own ledgers. Also known as business email compromise, recent examples include Ubiquiti Networks, which was swindled out of $47 million, and Bitpay, which lost $1.8 million. The FBI reports that more than 17,000 enterprises have lost a total of $2.3 billion in these scams over the past two years, and this form of theft has grown more than 270% since January 2015.
My company, Centrify, has been the target of several of these social engineering attempts. By using our experience as a case study, hopefully others can avoid crippling losses.
A Firsthand Account
Two years ago, Centrify’s vice president of finance received an email from our CFO, Tim Steinkopf, which appeared to be a forwarded request from me, the CEO, asking that a wire transfer for $347,493.41 be sent to a third-party account. The email included a PDF attachment with wire instructions for a company called Indeva Corporation and included a U.S.-based Citibank account. Many wire scams reference banks in China, so this scam was seemingly more advanced.
Our vice president of finance replied back to “Tim” saying she needed to work with our accounting manager to make this happen, and “Tim” asked for a confirmation once the transfer was complete.
Luckily, Centrify has a sound division of labor and established protocols for wire transfers, which had the immediate effect of buying time. It also happened that the vice president of finance bumped into the real Tim in the hallway and mentioned that she sent my request to the accounting manager, but still needed proper documentation for the wire. A baffled Tim asked to see the email. When he asked me about the wire and saw my confusion, it became clear a scam was afoot.
After scrutinizing the email, we realized it had come from a lookalike domain called “centrilfy.com” with an added “l.” We then contacted Vistaprint, where the domain was registered, and they found that more than 50 other imitation domains had been created just that morning. If one of those businesses did not have strict guidelines regarding documentation and approval for wire transfers, they easily could have lost a substantial amount of money.
This was only the first of many scam attempts. In February 2015, another fake email from me arrived, also asking for a transfer. This time, the domain used was “cenrtify.com” with the “r” and “t” transposed. The scammers asked Tim to process a wire transfer of $145,850.
In June, another impostor email went from me to the CFO. In this instance, the reply-to address went to a Czech domain, emkei.cz. The scammers sent an email with the subject “Urgent,” asking if Tim would be able to initiate an immediate transfer, noting they would send the details once he confirmed he could do it.
Two months later, yet another fake email went from me to the CFO. The reply-to address was a Gmail account and again it asked if Tim could confirm that he would be able to handle the transfer prior to sending along the details of the recipient, a supposed client.
We now see a bogus wire transfer attempt every two or three weeks. The criminals have shifted tactics to contacting human resources and payroll personnel, asking for employees’ W-2 forms. SnapChat recently fell victim to such a fraud attempt. In their case, the scammers succeeded: It appeared the CEO was asking for all the company W-2s, and the person in payroll dutifully complied.
There are several easy steps to take to avoid getting scammed. First and foremost, it is important to implement a multi-layered approval system for all wire transfers. Double-check that several stages of in-person approvals are required, and be sure to err on the side of over-communicating the details.
Second, make sure any wire transfer is associated with, and maps to, an actual purchase order inside the accounting system. Again, proper documentation is crucial. A paper trail can save you from a string of unanswered questions in the future.
From a security standpoint, add multifactor authentication to all key applications, including financial systems, so users can confirm they really are who they claim to be, particularly when initiating a wire transfer. In addition, layer on other identity controls such as privileged session monitoring for sensitive systems in case the criminals have compromised the credentials of key employees, such as those in the finance department.
Lastly, it might be prudent to buy up domain names that are variations of your company name. Look for common misspellings or ways letters can be substituted. For example, if you have an “E” in your domain name, purchase the domain that substitutes a “3” for the “E.”
Regardless of the preventative measures taken, however, social engineering scams will continue to proliferate as long as they are successful. The key to keeping your business secure in the face of criminal pressure is to remain vigilant.