The following is based on actual events (the names have been anonymized to protect the innocent)…
It was a simple transaction, unfolding over a period of weeks – but someone else was watching. The transaction involved the transfer of several millions of dollars from Company A to Company B, using their respective bank accounts. The senior person leading the deal for Company A was guiding his team, mostly over email…but someone else was watching.
At some point, the senior guy (or so it seemed) wrote to his team that the wire instructions for the transaction had changed. This sometimes happens in commercial transactions, so it did not seem out of the ordinary to the team. His colleagues – thinking that they had been safely instructed by their boss to make the change – then attempted to wire millions of dollars to Company B.
Thankfully, they mistakenly entered the wrong wire transfer numbers and the money did not transfer.
So, the team from Company A called Company B to verify the new instructions. Of course, Company B knew nothing of the new wire instructions – which revealed to the team members of Company A that the instructions seemingly provided by the senior guy were for a totally separate account at a separate bank opened (fraudulently) in the name of the intended recipient.
That someone else who was watching was a hacker – a cybercriminal. The hacker had infiltrated the company’s email system – perhaps weeks or months earlier. He was watching email traffic within Company A and came upon a discussion about this pending transaction. He was aware of the details and timing of the transaction and knew who was in charge of the deal for Company A.
Using bitcoin – so as to be untraceable – the hacker purchased an alternative, but nearly identical domain name of Company A and used that false domain to (electronically) impersonate the senior person on the transaction. In fact, the fraudulent domain address created by the hacker only deviated by one digit from Company A’s proper domain – so it appeared to the casual reader to be identical.
Using the false but nearly identical email address, the hacker inserted himself in the email conversation, omitted the senior person, and then exchanged emails with the remaining team members of Company A. In that exchange, he provided the new (false) wiring instructions to the unsuspecting team members.
That this criminal plan was thwarted and the money not transferred to the hacker was simply by luck – not by design.
Don’t Become a Victim
Every day, cybercriminals are trying to access your company and personal information, steal and trade on that sensitive data, and even divert your million-dollar wire transfers. There are no perfect fixes, but observing some or all of the following 10 protocols will help keep your company safe from these criminals. Deploying these protections in your organization will help keep your business safe; however, you and your team also must practice, practice, practice. This will protect your company from cybercrime by design, and not by luck as it did above.
1. If you are unsure whether an email request is legitimate – such as a change in wiring instructions – verify the request by contacting the recipient directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
2. Always check the domain name of those from whom you receive emails. It is difficult to even notice the difference between the addresses [email protected] vs. [email protected] . We receive so many emails, and the differences can be very slight; and to make matters more difficult, some email systems only display names instead of the actual email addresses.
3. If someone sends you a link by email, pay attention to the URL of a website or the address of the email domain server. Malicious websites may look identical, but may use a variation in spelling or a different domain, such as .com vs. .net.
4. Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, do your best to verify his or her identity directly with that company.
5. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
6. Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
7. Install and maintain anti-virus software, firewalls and email filters to reduce some of this traffic.
8. Check your business’s online banking accounts for unauthorized activity periodically, and set up online alerts to notify you and your accounting team of account changes and transactions.
9. Never share banking credentials and passwords, and never log into an online banking portal from a public computer or a computer connected to a Wi-Fi network.
10. Adopt multi-factor authentication for all online banking accounts and always log off the online banking account when it is not in use.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].
