Wire Fraud: How An Email Password Can Cost You $100,000

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Wire fraud is one of the most financially damaging threats to people and businesses today. Victims can lose hundreds of thousands of dollars in the blink of an eye.

What is wire fraud? Let’s start with the basics:

A wire transfer is an electronic transfer of funds between entities, usually a bank and someone else.Wire fraud utilizes this system to steal money. Typically, this is done by fooling a financial institution into wiring money to a fraudulent account.

The process often begins with the theft of personal data or email credentials, which means data security is paramount to preventing this threat.

Here’s an overview of wire fraud so you can better protect your business and clients.

Wire fraud grew 10x in 10 years
Three out of four attempts of any type of fraud involves a wire transfer, according to a report from Guardian Analytics.

This is not surprising given the size of the target. The amount of money transferred across telecommunications reached $600 trillion in 2012. When there is that much money in play, scammers will always look to take advantage.

Wire-fraud attacks have increased ten-fold since 2003, according to the Wall Street Journal, and they continue to evolve to better take advantage of security flaws.

Wire fraud tactics abound
Wire transfer fraud is a complex problem. Scammers can gather information and launch attacks in a dizzying number of ways.

Most attacks begin with the theft of a victim’s email credentials or enough personal data to impersonate the victim at a financial institution. The attacker then tricks the bank into wiring money to a fraudulent account and *poof*! The money is gone.

Attackers use methods such as malware, phishing, and social engineering to get information or email credentials. They then have an equally broad number of ways to approach the financial institution, as described in the report:

Defeat Out-of-Band Confirmation: In this scam, the attacker compromises an online bank account and removes security alerts and/or changes the contact information. Then the scammer can request a wire transfer and confirm his own request without the victim ever knowing.

Funeral Scheme: Once a victim’s email account is compromised, the attacker sends an email to the victim’s bank and requests funds for a funeral (or some other reason that earns sympathy). The attacker claims to be out of the country, so the bank sends a form to fill out, sign, and return. The attacker relies on the bank not carefully checking the signature before initiating the transfer.

Targeting Employees: Scammers can use a spear phishing attack to install malware on the computer of employees responsible for wire transfers at financial institutions.

From there, the scammer can initiate wire transfers of exorbitant sums to any bank account desired.

The number of ways that scammers can attack financial institutions and victimize individuals and businesses is not limited to these types, either. Scammers will always continue to innovate and develop new ways to take advantage of security flaws.

Spear phishing leads to wire fraud
Spear phishing is a common tactic attackers will use to initiate a wire fraud scheme.

Traditional phishing involves sending an enormous number of emails in hopes of catching a few fish. This approach has grown less effective in recent years due to growing awareness of what the emails look like, so attackers have moved on to a more targeted approach.

Spear phishing involves sending fewer, higher-quality emails to a narrower target. The emails appear to be from a trustworthy source by including personal information or other data acquired by the attacker.

Spear phishing emails are very effective. Their targeted nature gives them a boost in credibility with remarkably better results for attackers.

The emails attempt to lower the individual’s guard and often include a malicious link that, when clicked, compromises the individual’s machine with a trojan or virus. It can also attempt to get the person to reply with personal information.

Once an attacker receives enough information, he then uses it to attempt wire transfer fraud.