The recent banking turmoil involving Silicon Valley Bank and Signature Bank sent shockwaves through technology firms globally as they scrambled to transfer their capital, secure payroll, and pay their bills.
However, this mass changeover in banking details is exactly the situation that breeds targeted cyberattacks. Although the swift intervention of The Federal Reserve, The Bank of England, HSBC and others helped calm the liquidity crisis, a cyber threat crisis is likely now brewing as threat actors spin up a host of impersonation attacks and campaigns. The Tessian Threat Intel Team has already seen dozens of SVB and HSBC-themed URLs registered, some of which are used to launch phishing campaigns.
What is Wire Fraud?
Also called “wire transfer phishing”, wire fraud is a type of social engineering attack that uses impersonation or business email compromise to trick the victim into transferring money to the attacker often suggesting new payment details supported by a scenario.
Money, distraction, urgency
Bad actors are driven by money. And there is a lot of money at play with this crisis. The streaming firm Roku indicated it has about $487 million in deposits at SVB. They are likely making changes now to diversify where they deposit this money and, accordingly, updating wiring instructions to reflect these new banking relationships. In their Q4 Risk Insights index, Corvus Insurance indicated 28% of all claims in Q4 2022 were due to fraudulent funds transfers.
Threat actors relish the confusion and rapid changes that come with a crisis like this. The sheer number of updates to wiring instructions increases the chances that standard operating procedures around changing wiring instructions are ignored.
Common operating procedures around changing wiring instructions might include
(a) verifying the authenticity of each request by calling the person (using a known, existing phone number, not one provided in a new email)
(b) implementing a call-back verification system for each vendor when any wiring instructions are changed, and
(c) implementing dual control and multiple “eyes” on every wire change request. Tessian is already seeing genuine email traffic related to changing wiring instructions and expects to see advanced attacks leveraging this crisis soon.
Finally, the scale of this crisis is huge and information about it is widespread. There are a large number of affected entities – Reuters published a list detailing not only the firms affected but their financial exposure – ensuring a target rich environment for the bad guys.
Fraudulent (and genuine) wire transfers
The top 2 common attack vectors with fraudulent funds transfers are (1) impersonation attacks and (2) targeted phishing attacks. In an impersonation attack, the bad actor impersonates someone or some company that is known to the organization. They will typically do this by registering a new domain name that is largely similar to the targeted company’s domain.
Tessian stopping a lookalike threat
In this example, the attacker registered a new domain name (salesciricle-receivables.com) which looks similar to salescircle.com. They are reaching out to the finance department at Acme to request a change in bank accounts for future payments. Sophisticated attackers will conduct research using publicly available information (10-K annual reports, LinkedIn blog posts, LinkedIn connections to the CFO or Accounts payable personnel, and any website mentions) to build a convincing approach.
A targeted phishing attack would use similar impersonation methods while attempting to gain access – either electronically with a username and password or via socially engineered approach – to implement a fraudulent funds transfer. In the below example, the attacker is impersonating a known, trusted domain and attempting to gain access to an accounts payable employee.
Tessian stopping a potential phishing email
Recommended next steps
Tessian’s Threat Engineering teams are monitoring our datasets closely for emergent threat signals and updating Tessian’s Global Threat Library and Behavioral Intelligence Model in response. Our existing Defender customers will automatically benefit from this protection. In addition, we are recommending the following steps to further protect our existing customers:
- Deployment hygiene: review your deployment coverage to ensure Defender’s protection is configured to apply to all mailboxes on all devices. Schedule a deployment health-check.
- Enable warnings for money requests: for additional protection, Defender Customers can leverage Defender’s Custom Protection to detect and warn users when an email “requests money”.
- Reinforce approval processes: work with your finance teams to revise and review your payment approval workflows, and consider adding an additional internal verification layer to account for the increased risk
How Tessian stops wire fraud attacks
Built ready: The SVB crisis and other events like this are exactly the sort of thing Tessian was built to handle. Tessian covers fraudulent fund transfer attacks and other scenarios that are difficult to detect and that are often missed by legacy email security tools. Tessian is built to detect and prevent any variations of wire fraud attacks.
Tessian stops wire fraud attacks
Spotting imposters: Tessian catches thread hijacking attempts by looking for subtle indications of domain spoofing and small changes in behavior that suggest the sender isn’t who they say they are.
Custom protection: All Tessian customers have access to an additional layer of protection that allows them to educate users at the point of receiving a suspicious email including those involving fraudulent funds transfers. Defender’s Custom Protection gives organizations an additional layer of security by alerting users when an email triggers specified conditions. This provides further fine tuning around threats specific to your organization or specific groups within your organization.
how to Configure defender
Proactive defense: As this situation evolves, Tessian’s Threat Engineering Team are closely monitoring incoming emails for new phishing tactics and upward trends in existing ones, continuously improving the breadth and accuracy of the protection we provide to our customers. Our threat intelligence team can also respond to new phishing campaigns in a matter of minutes by updating our global threat library, ensuring that all of our customers are protected against malicious sender domains and URLs.
Guidance: While we may see more basic attacks leveraging the SVB crisis initially, threat actors will quickly evolve in sophistication to take advantage of the sheer volume of wire changes occurring to better target organizations. Legacy email security tools that use rules and policies are more likely to miss these attacks or report large numbers of false positives. Tessian’s guidance to our customers and anyone else is to expect a significant uptick in volume and in quality (more convincing) attacks on your employees over the coming weeks and months.
See Defender in action (video) or request a free trial of Tessian to start detecting wire fraud attacks today.