Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/6/2019
05:00 PM
100%
0%

Accounting Scams Continue to Bilk Businesses

Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows - most often via e-mail - continue to enable big paydays.

In mid-October, the municipal offices of the city of Ocala, Florida, received a legitimate invoice from a construction company for nearly three-quarters of $1 million, a partial payment for construction of a new terminal at the Ocala International Airport. When the city paid the invoice, however, the money went into the coffers of criminals overseas. 

A massive bank hack? No. The criminals had impersonated the construction company nearly a month earlier and managed to convince a city employee to change the bank to which funds were paid, according to a report in the Ocala StarBanner. The $742,000 windfall for the criminals came after the legitimate company issued the invoice, and when the construction company notified the city five days later on Oct. 22, the money was gone.

"We take our city's cyber security seriously and employees participate in mandatory trainings to arm them with the skills needed to identify and report these sophisticated campaigns," Ashley Dobbs, Ocala's marketing and communication manager, told the newspaper. "While we can't change this outcome, we will continue to update and refine our cyber security systems and trainings to minimize future impacts."

While ransomware continues to garner attention for its sheer disruptive power, businesses and government organizations continue to lose billions of dollars to impersonators who insert themselves into the victims' financial workflow. Known most often as business e-mail compromise (BEC), the scam targets critical employees with phishing e-mails that specifically request they change the bank information for a particular vendor. When the company or organization pays future invoices, the funds are transferred to the fraudster's bank account.

The number of attempts at e-mail impersonation have skyrocketed, jumping by 269%, according to messaging security firm Mimecast. In its quarterly E-mail Security Risk Report, the company found that only two-hundredths of a percent of e-mail messages involved impersonation, but that still amounted to more than 60,000 and more than double the number of messages with malware attached. In a previous survey, the company found that 85% of companies surveyed had experienced an impersonation attack in 2018.

"Businesses need to change their methodology and train users how to validate these e-mail messages," says Josh Douglas, vice president of threat intelligence at Mimecast. "There really should be an additive layer to look for this malicious activity."

The scheme has been lucrative for attackers. Nearly 180 countries and all 50 states have reported incidents of BEC, and reported losses have doubled in the past year, according to the FBI, which compiles statistics of compromises reported to the Internet Criminal Complaint Center (IC3). In the past three years, more than $26 billion in losses due to BEC have been reported internationally, the FBI said.

"Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds," the agency said. "However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey."

Ocala is just the most recent victim. 

In August, the city of Naples, also in Florida, paid about $700,000 to a scammer's bank account after fraudsters changed the bank-routing information two months earlier, according to news reports. Two months later, the Japanese newspaper conglomerate Nikkei discovered that a New York City-based employee had been fooled into sending approximately ¥3.2 billion — about $29 million — on the order of what appeared to be a Nikkei executive. 

"Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the U.S. and Hong Kong," the company stated.

Companies need to make sure they are using multiple methods of verifying requests to change bank account information, Mimecast's Douglas says. And improving security on large transactions is not enough, as the FBI noted that payroll transactions are also a big target.

"With CEO fraud a year ago, attackers were going large-scale and going after financials," Douglas says. "We are seeing a lot more targeted e-mails at the financial and HR teams to get a single paycheck. That piles up quickly and does not raise as many alarms in the process."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4095
PUBLISHED: 2019-12-10
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
CVE-2019-4244
PUBLISHED: 2019-12-10
IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
CVE-2019-4521
PUBLISHED: 2019-12-10
Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
CVE-2019-4663
PUBLISHED: 2019-12-10
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245...
CVE-2019-19251
PUBLISHED: 2019-12-10
The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.