Wire transfer phishing costs businesses billions of dollars every year — and the problem is only getting worse. That’s why business leaders and security experts are increasingly worried about this damaging form of cybercrime.

In this article, we’ll be answering the following questions:

• What is wire transfer phishing?
• How does wire transfer phishing compare to other social engineering attacks?
• How can your business defend against wire transfer phishing?

We’ll also be taking a look at one of the biggest cybercrimes in history — a sustained wire transfer phishing scam against Google and Facebook.

What is wire transfer phishing?

How wire transfer phishing works

Like other types of social engineering attacks, cybercriminals use a number of different methods to carry out wire transfer phishing against businesses and individuals. But, we can offer a “typical” example of this kind of attack. Imagine you’re an employee in a company’s accounts department. You routinely receive email invoices from suppliers, contractors, and service providers.

One morning, you get an email from Jane at IT Maintenance — someone who has emailed invoices regularly for the past five years. As always, Jane is friendly. She provides a normal-looking invoice for some computing services your company uses regularly.

You pay the invoice in the usual way, using the bank account details provided. But you didn’t realize that Jane’s email address was subtly different this time — instead of the usual jane@itmaintanance.com, the email came from jane@itmainetance.com.

You just fell victim to a wire transfer phishing attack — and paid money into a cybercriminal’s account. Can you spot the difference in the email addresses? This is just one example of email impersonation.

Wire transfer phishing vs. other types of phishing

There are many types of phishing. But they all have one thing in common: the hacker is trying to trick targets into handing over information, transferring money, or granting access to networks.

Wire transfer phishing aims to trick the victim out of money by persuading them to transfer money into the attacker’s bank account. Below are other types of phishing motivated by a financial incentive.

• Credential phishing involves creating a fake website designed to look like an account login page. The target believes they are logging into an online account. But in fact, they are sending their username and password to the attacker.
• Payroll diversion is where a scammer impersonates an employee and provides new bank details to an HR department.
• Gift card phishing involves persuading the target to purchase gift cards or make a payment via gift cards.

But there are plenty of other “types” of phishing. While phishing typically refers to an email-based social engineering attack — 96% of phishing attacks occur via email – hackers can use other methods of delivery, too.  For example:

• Smishing is a type of phishing that takes place via SMS message.
• Vishing takes place over phone or Voice over IP (VoIP) software.
• Social media phishing takes place over social media platforms.

Wire transfer phishing could occur via SMS, phone, or social media — but email is much more common. For more information, see our article: Smishing and Vishing: What You Need to Know. Some types of phishing are defined by how they target victims. For example:

• Spear phishing is any phishing attack that targets a specific individual. A spear-phishing email opens with “Dear [name],” whereas a bulk, “spray and pray” phishing attack addresses no-one in particular.
• Whaling is any phishing attack that targets a senior executive. High-profile targets typically have easier access to bigger funds.
• Business email compromise (BEC) involves spoofing or hacking a company email account (for example, markzuckerberg@facebook.com).

Wire transfer phishing is very likely to involve spear phishing. After all, you’re not very likely to hand over money to an individual that doesn’t even use your name. Business email compromise and whaling also usually involve wire transfer phishing. Keep reading to find out just how much business lost (and hackers gained).

Wire transfer phishing statistics

Businesses and banks are continually investing in new defenses against phishing. Some of these strategies work, and they are making a positive impact. But due to the increasing volume and sophistication of such scams, businesses are losing more money than ever.

• Between June 2016 and July 2019, FBI statistics show that wire transfer fraud via BEC occurred 166,349 times, and cost businesses over $26 billion.
• In 2019, the number of bank transfer phishing scams occurring in the UK increased by 40%.
• In 2017, the FBI received 15,690 complaints about BEC (primarily involving wire transfer), resulting in over $675 million in losses. In 2019, this increased to 23,775 complaints and over $1.7 billion in losses.

Defending against wire transfer phishing

Business and cybersecurity leaders understand that wire transfer phishing is a severe threat — and they take steps to defend against it.

Recognizing wire transfer scams

Recognizing wire transfer scams can be extremely difficult. But, even the least sophisticated scams share some hallmarks, including:

• A sense of urgency — The person requesting a fraudulent transfer will often claim that the money is needed immediately or threaten late payment fines.
• Unsolicited contact — If you receive a request for money from a company you’ve never dealt with, this is likely to be a phishing scam (of very poor quality).
• Unprofessional communication — Phishing emails might be written in an unprofessional tone or contain grammatical errors.

These traits are rarely present in successful wire transfer attacks, which can involve impersonations of specific people and careful recreation of invoices that appear identical to genuine documents.

If you’re a security leader who’s trying to help your employees spot spear phishing attacks, this article (and infographic) will help: What Does a Spear Phishing Email Look Like? Training can help, too.

Running employee training programs

It’s essential to make your employees aware of wire transfer phishing and other security threats. But employees should never be the last line of defense.

Phishing techniques have become so sophisticated that even the most tech-savvy employees can miss them (including the NSCS’s cybersecurity experts). Humans aren’t good at recognizing subtle changes in behavior and identity — no matter how much training they receive. That’s why email security is essential.

Interested in learning more about the pros and cons of phishing awareness training.

Implementing email security software

The best way to stop wire transfer phishing is to deploy email security software across all employee devices. Tessian Defender, for example, uses AI to learn your employees’ inboxes inside-out. Tessian knows what a “normal” email looks like — so it knows when a wire transfer phishing scam is occurring.

Tessian can pick up on the tiny differences in email addresses that indicate spoofing. It can even detect behavioral changes that suggest that the sender isn’t who they say they are — and that their email has been compromised.

Once detected, employees are warned (which reinforces training), security teams are alerted, and the domain is automatically added to a denylist. Crisis averted.

Validating payments

In addition to deploying email security software and increasing staff awareness, your finance team should take steps to validate wire transfers before making payments. For example:

• Keeping careful (and secure) records of vendors’ bank details
• Verifying payments over the phone where practical
• Contacting the payee directly where there are any concerns

These validation processes are important, but they can take time and resources — and they’re far from foolproof, as we’ll see below.

Case Study: Facebook and Google $121 Million Wire Transfer Scam

To help you better understand how wire transfer phishing works, let’s take a look at a real-life example. In 2019, a Lithuanian national named Evaldas Rimasauskas appeared in court in New York. Rimasauskas pleaded guilty to participating in the biggest phishing scam in history and received a 5-year prison sentence.

Between 2013 and 2015, Rimasauskas and his associates used wire transfer phishing to scam Facebook and Google out of around $121 million. So how did this team of cyber-criminals trick two of the world’s largest tech companies into giving up so much cash?

First, the group set up a company with the same name as a genuine Taiwanese computer manufacturer that supplied Facebook and Google with hardware — “Quanta Computer.” Rimauskas set up bank accounts in the company’s name across Latvia and Cyprus.

The scammers then emailed Facebook and Google employees from fake spoof accounts, pretending to be Quanta Computer employees. These emails were convincing enough to persuade the tech firms’ staff to pay invoices into Rimasauskas’ fake bank accounts.

Once the cybercriminals had received payments from Facebook and Google, they quickly transferred the money to a network of accounts across Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

How did the group get away with making such substantial transfers for so long? Didn’t the receiving banks question where this money was coming from? Well, the group also created fake invoices, contracts, and letters — purportedly from the tech firms’ employees — to verify the transfers.

What can we learn from the Rimasauskas case?

• Even employees at well-resourced, tech-oriented firms can fall victim to wire transfer phishing.
• As well as impersonating people you know, scammers can set up companies with the same names as your service providers.
• Banks can’t be relied upon to prevent fraudulent wire transfers.

It’s hard to deny the cleverness of Rimasauskas’ scheme. If Facebook and Google — two of the wealthiest companies on the planet — can lose $121 million this way, then any company could fall victim to a similar scam.

To learn more about how Tessian can detect and prevent wire transfer phishing attacks and other advanced impersonation attacks, book a demo. Or, for insight into how we’re helping world-learning organizations, check out our customers page.