CIRT-KY is issuing a public cybersecurity alert in response to an increase in wire transfer fraud by email against Cayman Islands businesses and government entities. This type of payment fraud involves the masquerading as or compromising of legitimate business e-mail accounts for the purpose of conducting an unauthorised wire transfer.
Actors use the compromised account or a spoofed account to send wire transfer instructions. The funds are then sent to other countries all over the world.
Wire transfer fraud usually involves the compromise of or representation of an e-mail account belonging to a business’s CEO/CFO, in order to send an e-mail to an employee with the ability to conduct wire transfers. Additionally, other frauds involve the compromise of a vendor/supplier’s e-mail account with the intention of modifying the bank account associated with that vendor/supplier. The latter scheme may also be labeled as vendor fraud and involves a last minute change of the bank and account number for future payments.
Actors can compromise the legitimate business e-mail accounts through social engineering or malware. They conduct reconnaissance to review the business’s legitimate e-mail communications and travel schedules. Actors can also auto-forward e-mails received by the victim to an e-mail account under their control. This reconnaissance stage lasts until the actor feels comfortable enough to send wire transfer instructions using either the victim’s e-mail or a spoofed e-mail account that is controlled by the actor. The difference in the spoofed e-mail account is very subtle and can easily be mistaken for the legitimate business e-mail address.
The actors utilize multiple methods to ensure their e-mail communications are successful. In some instances, actors will create rules using the compromised business e-mail account to send all communications associated with the actor’s activity to the trash folder or to a hidden folder the victim is unaware of. A common theme in the CEO/CFO scheme is that the actors wait until the CEO/CFO is on official travel before sending wire transfer instructions, making it more likely that the individual would use e-mail for official business and therefore harder to verify the transaction as fraudulent. These requests will sometimes state that the wire transfer is related to urgent or confidential matters and must not be discussed with any other company personnel.
How to Mitigate Your Risk
The key to reducing the risk from this type of cyber fraud is to understand the criminals’ techniques and deploy effective financial transaction/payment risk mitigation processes. There are various methods to reduce the risk of falling victim to this scam and subsequently executing a fraudulent wire transfer. Some of these methods include:
- Verifying a change in payment instructions to a vendor or supplier by calling to verbally confirm the request (the phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor);
- Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions;
- Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers;
- Use out of band authentication to verify wire transfer requests that are seemingly coming from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call in order to confirm the wire transfer request;
- Require dual-approval for any wire transfer request involving:
- A dollar amount over a specific threshold; and/or
- Trading partners who have not been previously added to a “white list” of approved trading partners to receive wire payments; and/or
- Any new trading partners; and/or
- New bank and/or account numbers for current trading partners; and/or
- Wire transfers to countries outside of the normal trading patterns.
- CIRT-KY encourages victims of cyber crime to contact their local police station and CIRT-KY at *protected email*
- Timing is critical. If notified immediately, CIRT-KY and law enforcement can work with you to increase the chance of recovering the stolen funds and limiting further risk.
- When reporting, be prepared to provide a general description of this crime, how it occurred, losses experienced, and wiring instructions.
- MLROs’, Financial institutions’ compliance or anti-money laundering team(s) should submit a Suspicious Activity Reports (SAR) to the Financial Reporting Unit as required by Law.