Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/6/2019
05:00 PM
100%
0%

Accounting Scams Continue to Bilk Businesses

Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows - most often via e-mail - continue to enable big paydays.

In mid-October, the municipal offices of the city of Ocala, Florida, received a legitimate invoice from a construction company for nearly three-quarters of $1 million, a partial payment for construction of a new terminal at the Ocala International Airport. When the city paid the invoice, however, the money went into the coffers of criminals overseas. 

A massive bank hack? No. The criminals had impersonated the construction company nearly a month earlier and managed to convince a city employee to change the bank to which funds were paid, according to a report in the Ocala StarBanner. The $742,000 windfall for the criminals came after the legitimate company issued the invoice, and when the construction company notified the city five days later on Oct. 22, the money was gone.

"We take our city's cyber security seriously and employees participate in mandatory trainings to arm them with the skills needed to identify and report these sophisticated campaigns," Ashley Dobbs, Ocala's marketing and communication manager, told the newspaper. "While we can't change this outcome, we will continue to update and refine our cyber security systems and trainings to minimize future impacts."

While ransomware continues to garner attention for its sheer disruptive power, businesses and government organizations continue to lose billions of dollars to impersonators who insert themselves into the victims' financial workflow. Known most often as business e-mail compromise (BEC), the scam targets critical employees with phishing e-mails that specifically request they change the bank information for a particular vendor. When the company or organization pays future invoices, the funds are transferred to the fraudster's bank account.

The number of attempts at e-mail impersonation have skyrocketed, jumping by 269%, according to messaging security firm Mimecast. In its quarterly E-mail Security Risk Report, the company found that only two-hundredths of a percent of e-mail messages involved impersonation, but that still amounted to more than 60,000 and more than double the number of messages with malware attached. In a previous survey, the company found that 85% of companies surveyed had experienced an impersonation attack in 2018.

"Businesses need to change their methodology and train users how to validate these e-mail messages," says Josh Douglas, vice president of threat intelligence at Mimecast. "There really should be an additive layer to look for this malicious activity."

The scheme has been lucrative for attackers. Nearly 180 countries and all 50 states have reported incidents of BEC, and reported losses have doubled in the past year, according to the FBI, which compiles statistics of compromises reported to the Internet Criminal Complaint Center (IC3). In the past three years, more than $26 billion in losses due to BEC have been reported internationally, the FBI said.

"Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds," the agency said. "However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey."

Ocala is just the most recent victim. 

In August, the city of Naples, also in Florida, paid about $700,000 to a scammer's bank account after fraudsters changed the bank-routing information two months earlier, according to news reports. Two months later, the Japanese newspaper conglomerate Nikkei discovered that a New York City-based employee had been fooled into sending approximately ¥3.2 billion — about $29 million — on the order of what appeared to be a Nikkei executive. 

"Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the U.S. and Hong Kong," the company stated.

Companies need to make sure they are using multiple methods of verifying requests to change bank account information, Mimecast's Douglas says. And improving security on large transactions is not enough, as the FBI noted that payroll transactions are also a big target.

"With CEO fraud a year ago, attackers were going large-scale and going after financials," Douglas says. "We are seeing a lot more targeted e-mails at the financial and HR teams to get a single paycheck. That piles up quickly and does not raise as many alarms in the process."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.