We recently had a situation with a client that involved hacking of emails in order to steal money transferred via wire transfers. It was different that any we had faced before because it involved the hacking of an actual external email account.
Previously, we have seen email scams where an email is sent to the CFO or financial manager at a client requesting a wire transfer. The email address that it comes from looks like the email address of the CEO or president of the client, but with subtle changes. (ex. Instead of email@example.com it may say firstname.lastname@example.org.) The scammer requesting the wire transfer will be able to respond to emails back because the address they use is real, just not the right one. They use this to fool the CFO or financial manager into thinking they are really emailing their own employers or bosses. Many of our clients have protocols now in place to keep these types of scams from working by requiring multiple users to be involved before a bank will authorize the transfer. For instance, the financial manager can send the transfer request to the bank, but the bank has to get authorization from the President or CEO before it is sent. The President or CEO will know they did not request the transfer and the process will be stopped.
This new situation involved a real estate purchase with an out of state lawyer. The out of state lawyer’s email account had been compromised (or at least, that is what we think has happened). All of the email sent from my client to that lawyer were being intercepted and replaced with emails by the criminals. When it came time to transfer the money, they replaced the document with my client’s bank accounts on it with their own bank accounts. The money was transferred and then the criminals stalled my client with email responses that seemed to be coming from the out of state attorney. In the end, the process was stopped when my client called the out of state attorney directly and were told that the money had been transferred a while ago and should already be in their account. (It was a real estate purchase and so it was a fairly large sum of money.)
They discovered the fraudulent emails and the banks and the FBI got involved. We were lucky and the money was mostly recovered by the banks. According to the FBI, the criminals are likely Nigerian.
We realized at that time that our protocols protect money being sent out from a client, but do nothing to protect money being sent in. This particular client of mine has now added a new protocol for wire transfers being sent to them. They will still send the transfer information via email, but have to follow that with a phone call or a fax so the information can be compared.
You can’t control the security of an outside organization that you do business with and it wasn’t my client’s money that was being stolen. It was their seller’s, though, so I thought I would pass this information on to you. If you do a lot of business by wire transfer, you need to have protocols in place that protect you for both sending and receiving.