Domains in disguise

Using a classic phishing scheme, fraudsters are taking control of company email accounts to initiate wire transfers from unsuspecting employees. We show how crooks lure victims into their traps and how you can protect your clients.

A new controller, Sam, reported for work at ABC Tire Company. He was anxious to prove that his employer had hired the right person. In his first week, he received an email from the company CEO with the instructions, "Process a wire of $205,250.29 ASAP to the below account information. Code it to professional services. Send me the confirmation when completed. Thanks, Gary, CEO."

Sam promptly followed his CEO's instructions and completed the wire. When he approached the CEO the following day, he smiled and said, "Sir, I took care of that wire transfer you requested." The CEO responded, "What wire transfer?" To his horror, Sam realized he'd been a victim of an Internet fraud scheme. The email had come from a fake, cleverly disguised corporate domain.

This scenario describes a crime that's occurring in all types of international organizations. Our company first began receiving reports in spring of 2014 about a scheme that tricked companies into fraudulently wiring funds to "vendors" with overseas bank accounts. It first appeared to resemble a standard phishing attack. [Cybercriminals use emails to "phish" for personally identifiable sensitive information (PII) such as usernames and passwords. A legitimate-looking email requests the recipient to click a link and log in. The victim enters PII onto the site and the phish is speared.]

However, we soon found that the scheme had three unique traits: 1) It used a fake email domain intentionally designed to fool the recipient into thinking it came from his or her company. 2) The victim companies, rather than the banks, suffered the full loss of the funds. 3) It had an alarmingly high success rate — a sure sign that it will be a growing trend.

In this fraud, a company's accounting personnel receives an email from a "senior executive" in the company who requests that they wire funds to an overseas bank account — supposedly for a new vendor — only to find out after the transaction that the email was forged.

As the reports started pouring in from our clients, the U.S. Secret Service confirmed that a wire transfer scheme using fake email domains — and exhibiting the three unique traits listed above — was becoming widespread throughout the country.

According to our investigation, the fraudsters:

• Knew the executive and staffer in the organization who were responsible for transferring funds by wire.
• Appeared to know the wire transfer limits of those targeted in the organization.
• Had access to the email inboxes, calendars and voice messaging systems of those responsible for transferring funds by wire.
• Used similar language in the emails requesting funds transfers (except for amounts and banking instructions to complete the transfer of funds).
• Requested funds be wired to first-time "vendors."

Initially, the details of this scheme and the high success rate suggested that insiders were assisting the fraudsters. In each case we reviewed, the fraudsters appeared to have proprietary information uniquely available to the company's executives, their assistants and accounting staffers. However, we discovered that the fraudsters didn't need any inside help. They had insidiously penetrated client systems by covertly reading emails between executives and employees. Via phishing attacks or social engineering, the fraudsters identified those responsible for transfers, their funding limitations, corporate accounting expense recordings and bank protocols relating to wire transfer requests.

The fraudsters waited for the optimum time to email the unassuming accounting staffer in an executive's name to request the wire transfer. (The best time was when the party who could order the transfer was traveling or otherwise difficult to reach or unavailable but not the functionary who made the transfer request based on the phony email.) They typically used a fake domain — usually obtained from a foreign vendor — that was very similar to the company's actual domain so that it wasn't suspicious to the recipient, and the executive they were impersonating didn't detect the email. The fraudsters had the payment initially directed to a non-U.S. bank account and then redirected the funds several times until the money reached a bank located in a known tax haven, which made retrieval and/or prosecution difficult, if not impossible. Recent cases have seen funds end up in U.S. accounts as well.

Successful fraudsters emptied the accounts within hours to days after the wire transfers, so the only way for victim companies to retrieve the funds was to quickly recall the transfers or freeze accounts. Once the transfers were complete, so were the financial losses to the companies, while the banks remained unscathed.

Prevention is the only true protection: Strong vendor protocols, financial controls and staff communication and training are essential to thwarting these fraudsters.

Getting inside

For many of the victimized companies, it's often a mystery how fraudsters targeted their business, identified the decision makers and gained access. However, simple searches on social media sites will often supply names, titles and responsibilities of current and former employees of targeted companies — from C-suite executives to functionaries in accounts payable departments.

When social media is unhelpful, those fraudsters who are expert social engineers will call employees to obtain the identities of their targets. We've even seen successful schemes in which unsophisticated accounting employees have given out sensitive business information such as wire transfer protocols, bank account details and passwords to fraudsters posing as legitimate third parties.

Fraudsters then will initiate phishing attacks hoping just one staffer will be induced to provide the access that sets the scheme in motion. An early iteration of the scheme used a phishing attack with a fake Google Docs website to capture corporate email logins from targeted employees of victim companies — usually staffers in the accounting department. (See Figure 1 below — sample phishing Google Docs webpage. Note login request and non-Google domain.) Recent attacks have leveraged the ability to host the website on Google's hosting platform, so the URL seems legitimate, and the web page is a near-perfect replica of Google's login page.

When the employee enters company-provided email credentials into the web form and clicks "View Document," the phishing website redirects the employee to a page that claims the document can't be found. But now the employee's credentials have been sent to the fraudster who then uses them to log into the email account. Spending just a short time in employees' email accounts enables the fraudster to gather the information he needs to execute the fraudulent wire transfer requests.

Armed with the necessary information and access, the fraudster patiently monitors the executive's email account and waits for the optimum time to execute the fraud. The fraudster, who has complete control of that account, can permanently delete emails or create mailbox rules to redirect any replies from recipients to the trash or archives. In some cases, the fraudster appears to wait until the executive is traveling or otherwise difficult to reach to execute the scheme. Apparently, he does this to thwart bank protocols, including the routine "call-back" protocol that requires verbal authorization from the executive with ultimate responsibility for the funds transfer.

Our company investigated two instances in which the fraudsters had apparent control of the executives' systems and knowledge of bank call-back protocols when they attempted to execute the schemes. In one case, a client reported that the bank had called the executive while he was traveling and left a voice message requesting authorization to execute the transfer of funds. The fraudsters had access to the executive's voice messaging system and intercepted the message. One of the fraudsters impersonated the executive and subsequently wrote an email from the executive's email box acknowledging receipt of the voice message. The fraudster, in the guise of the executive, informed the bank representative that he couldn't return the call but he confirmed the wire instructions, which the bank dutifully performed. Another client reported a similar attempt that was unsuccessful because an employee followed an internal control.

Executing the fraud

Regardless of how fraudsters gained access to a company's systems, they always used a fake domain — typically purchased from New Zealand or India. Because the fraudsters acquired the domain through overseas vendors, it was highly unlikely that private parties or U.S. law enforcement could ID the fraudster. First, investigating those vendors can be cost-prohibitive. Second, due to foreign privacy laws, vendors might not be required to verify the purchaser is a real person or entity, and there's no guarantee that the foreign court would recognize U.S. civil or criminal processes and require disclosure of the domain purchaser.

The fraudsters created domains nearly identical to the real domains of the target companies. In the ABC Tire Company example, the domain for the fake domain could, for instance, have an extra "i" in the word "Tire" (JSmith@ABCTiire.com; instead of JSmith@ABCTire.com). Normally, if a fraudster carefully executes the rest of the email, the victim won't notice the false domain.

In all the different reports we examined the emails requesting the fraudulent wire transfer of funds used a similar, simple format with particular language engineered to trick the email target. Figure 2 (below) provides five actual, sanitized examples of emails used in either attempted or successful frauds using fake domains.

The emails use urgent language from the authorized executive along with specific and familiar expense codes ("Misc" or "Professional Services"), which place pressure on employees to expedite the wire transfer. While it seems hard to believe, employees in multiple companies prepared wire transfers to new, first-time vendors, which is arguably the biggest red flag in the scheme. In one instance, the employee wired the funds to an overseas account — a first for the victim company — to a first-time vendor. Thus, the employee failed to recognize two bright red flags: the new vendor and the company's first international transfer of funds.

Getting the money

Another unique aspect of this scheme was that the fraudsters didn't need the company's banking information to execute it. If the fraudsters were successful, they learned the company's bank and account information from the receiving bank, which possibly led to more theft.

Fraudsters will open bank accounts with small deposits seven to 10 days prior to attempts to execute frauds. In most early instances of the scheme we saw, fraudsters left instructions at the receiving banks to transfer the funds to international accounts in countries without an extradition treaty with the U.S.

More recently, fraudsters have directed funds to accounts at U.S. banks. In one case, the fraudster transferred funds from a foreign victim (Canadian) to a Miami bank. The fraudster then had the bank transfer a substantial portion of the deposited funds to a personal account in the same bank and withdrew $50,000 in currency before leaving the bank. Remarkably, bank officials weren't suspicious of the customer who within days of opening an account with a $50 cash deposit was withdrawing $50,000 in currency. (The fraudsters' use of a U.S. bank suggests that in some iterations of the fraud they now use straw men to open and empty accounts — a significant and less sophisticated mutation of the original scheme.)

In another U.S. example, the fraudster requested the victim entity to transfer funds to the account of a legitimate yacht broker from whom the fraudster planned to purchase a small yacht. However, the victim company became suspicious of the wire transfer request prior to its authorization.

Fraudsters who use U.S. banks and middlemen potentially increase their risk of being caught, but they gain access to the funds more quickly. Additionally, unlike other fraud schemes (counterfeit checks, credit card fraud, identity theft), in which banks typically incur financial losses, the fraudsters in this scheme have rightfully concluded that banks are extremely reluctant to question transactions in which they have no loss exposure.

What can victims do?

The victim company's insurance company might require it to file complaints with local and federal law enforcement, FBI and/or Secret Service, which it should do regardless. As first-responder investigators, we also advise companies to review past transfers to spot other possible fraudulent wires.

Protect yourself and your clients

Fraudsters typically target mid- to large-size companies because they routinely transfer hundreds of thousands of dollars to third parties that are unfamiliar to accounting staffers. However, smaller companies aren't immune; a significant loss may severely impact their ability to continue operations.

The first prevention step is to review wire transfer protocols, both internally and with the bank. Companies must insist that banks have call-back protocols and adhere to them regardless of how difficult it might be to reach the designated officials.

Internally, companies need to review their controls relating to payments and wire transfers and consider a higher level of authorization for disbursements to first-time vendors. For example, designate an official who "owns" each vendor and require that accounting staff member to contact the appropriate official before transferring funds.

Companies also need to arm against phishing attacks and social engineering. The best defense is education and training to help employees recognize these techniques.

Companies that use or allow Google Docs or Gmail should enable Google's 2-Step verification, also known as two-factor authentication, to prevent an outside party from logging into Google without a requisite authenticator token. However, while a successful attack using Google 2-Step login code hasn't been reported, fraudsters often change tactics as defenses evolve.

A higher barrier to prevent unauthorized access into Google Apps is the use of a third-party SSO (single sign-on) or SAML (security assertion markup language) provider, such as Ping Identity and Centrify. These services allow for a much stronger login system into Google applications because they restrict login based on location, device and tokens. They also allow the login portal to be customized, which makes it difficult for an attacker to anticipate and mimic on their phishing page.

No one is safe. Fraudsters have successfully targeted all types of companies. The more successful they are, the more the scheme is likely to grow. Review your vendor protocols, financial controls and compliance policies. Most importantly, regularly train and encourage employees to recognize red flags and question suspicious requests. An employee who senses something is wrong is usually right.

Anthony Valenti, CFE, is managing director of Stroz Friedberg, LLC, which specializes in investigations, intelligence and risk services.

Stephen Korinko, CFE, CPP, is vice president of Stroz Friedberg, LLC.

The authors wish to thank Daniel Blank, digital forensic examiner, at Stroz Friedberg.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.