The Email Shell Game of Bank Transfer Fraud

November 10, 2022

Recently, we have been called upon to investigate and respond to a large number of cyber incidents where the victim organization has been defrauded of large sums of money. In each case, money meant for the victim, or as a payment from the victim to a service provider, has been “intercepted” and sent to an attacker’s account instead.

In our estimation, any organization could be targeted with this kind of attack, and likely will be targeted repeatedly.

In this post, I’ll describe how most of these attacks have been carried out to exploit flaws in your organization’s processes and procedures and discuss some measures that can be taken to mitigate the risk.

The attacks often begin with individuals targeted specifically for their potential role in financial transactions. With open-source intelligence research, as well as contact lists gathered from victims, emails can be crafted to elicit action (link-clicking, document opening) or credentials. Your user awareness training is of little use here. Bad grammar, spelling, and other typical “tells” of a phishing email won’t be present.

The attackers have done their homework on what your staff are expecting to see and respond to in an email. It may even come from a trusted contact if they have already been victimized in another incident.

Once they gain access to the target’s email account, the attacker may spend a considerable amount of time just reading. They’re looking to answer a few questions:

·       Is this user involved in Automated Clearing House Network (ACH) transactions?

·       Do they pay contractors, or service providers?

·       Do they bill clients?

·       Who else in the organization is involved in these transactions?

If the victim individual does not have the right level of access to your ACH processes, they will try to identify another person in your organization that does and leverage the intra-organizational email and relationships to gain access to the “right” email accounts to carry out their attack. The attacker will pick up on the “lingo” of your organization and the processes and procedures that are formally and informally followed to carry out a transaction.

The attacker wants to be able to craft emails and documents that pass muster when they want to interfere.

Attackers will set up themselves in the “middle” of your communications, by changing rules in your email system (such as “Inbox Rules” in Microsoft Exchange email systems) to redirect and hide email that might tip off the intended recipients to the attack. Now, they can hold email conversations, back and forth, with other users, clients, contractors, and service providers, without the victims being aware. They’ll use the same writing style, signature lines, and documents that the victim would normally use.

Once the attacker has gathered the intelligence needed to carry out the attack, it’s time to pull the trigger.

For one or more upcoming transactions, the attacker will use their access to convince others to change the banking account and routing numbers that should be used for payment. A client may be convinced that the organization has changed banks and submit an upcoming payment to the attacker’s account instead. Often, the attacker provides a discounted rate for immediate payment, to give the transaction a sense of urgency. The attacker may convince someone else in the target organization to send a payment to a contractor or service provider, again, with the attacker’s account information.

Once the money has been transferred, it is often difficult to recover and requires the intervention of law enforcement and expensive legal help.

Responding to the incident, with the legal, technical, and reputational costs involved, may overshadow the amount of the transfer itself. Individuals that are targeted in the organization may even face intense scrutiny or reputational damage as they are investigated for their potential part in the incident.

The preventative measures for this kind of attack are more procedural than technical.

While two-factor authentication, endpoint security, strong passwords, and user training may reduce your risk to some degree, the strongest defense against ACH fraud is human verification and intervention. All transfers, payments, and (especially!) additions or changes to account numbers should require in-person or voice verification.

By shoring up the security of your processes, you can prevent yourself from becoming the victim of (or playing a part in) this type of ACH fraud and identify compromised email accounts in your organization that need to be the subject of incident response and investigation.

by Wesley McGrew | Senior Cyber Fellow