Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/6/2019
05:00 PM
100%
0%

Accounting Scams Continue to Bilk Businesses

Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows - most often via e-mail - continue to enable big paydays.

In mid-October, the municipal offices of the city of Ocala, Florida, received a legitimate invoice from a construction company for nearly three-quarters of $1 million, a partial payment for construction of a new terminal at the Ocala International Airport. When the city paid the invoice, however, the money went into the coffers of criminals overseas. 

A massive bank hack? No. The criminals had impersonated the construction company nearly a month earlier and managed to convince a city employee to change the bank to which funds were paid, according to a report in the Ocala StarBanner. The $742,000 windfall for the criminals came after the legitimate company issued the invoice, and when the construction company notified the city five days later on Oct. 22, the money was gone.

"We take our city's cyber security seriously and employees participate in mandatory trainings to arm them with the skills needed to identify and report these sophisticated campaigns," Ashley Dobbs, Ocala's marketing and communication manager, told the newspaper. "While we can't change this outcome, we will continue to update and refine our cyber security systems and trainings to minimize future impacts."

While ransomware continues to garner attention for its sheer disruptive power, businesses and government organizations continue to lose billions of dollars to impersonators who insert themselves into the victims' financial workflow. Known most often as business e-mail compromise (BEC), the scam targets critical employees with phishing e-mails that specifically request they change the bank information for a particular vendor. When the company or organization pays future invoices, the funds are transferred to the fraudster's bank account.

The number of attempts at e-mail impersonation have skyrocketed, jumping by 269%, according to messaging security firm Mimecast. In its quarterly E-mail Security Risk Report, the company found that only two-hundredths of a percent of e-mail messages involved impersonation, but that still amounted to more than 60,000 and more than double the number of messages with malware attached. In a previous survey, the company found that 85% of companies surveyed had experienced an impersonation attack in 2018.

"Businesses need to change their methodology and train users how to validate these e-mail messages," says Josh Douglas, vice president of threat intelligence at Mimecast. "There really should be an additive layer to look for this malicious activity."

The scheme has been lucrative for attackers. Nearly 180 countries and all 50 states have reported incidents of BEC, and reported losses have doubled in the past year, according to the FBI, which compiles statistics of compromises reported to the Internet Criminal Complaint Center (IC3). In the past three years, more than $26 billion in losses due to BEC have been reported internationally, the FBI said.

"Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds," the agency said. "However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey."

Ocala is just the most recent victim. 

In August, the city of Naples, also in Florida, paid about $700,000 to a scammer's bank account after fraudsters changed the bank-routing information two months earlier, according to news reports. Two months later, the Japanese newspaper conglomerate Nikkei discovered that a New York City-based employee had been fooled into sending approximately ¥3.2 billion — about $29 million — on the order of what appeared to be a Nikkei executive. 

"Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the U.S. and Hong Kong," the company stated.

Companies need to make sure they are using multiple methods of verifying requests to change bank account information, Mimecast's Douglas says. And improving security on large transactions is not enough, as the FBI noted that payroll transactions are also a big target.

"With CEO fraud a year ago, attackers were going large-scale and going after financials," Douglas says. "We are seeing a lot more targeted e-mails at the financial and HR teams to get a single paycheck. That piles up quickly and does not raise as many alarms in the process."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.