The Art of Wire Fraud Transfer Scams through Email Conversation Hijacking

It is becoming increasingly common for corporations to fall victim to scams where they unintentionally wire large sums of money to the wrong recipient. Alternatively, the company that owes them money may mistakenly send funds to someone else. These scams are usually carried out through a technique called email phishing, which results in email conversation hijacking. This can be executed by hackers with minimal time and resources, often within a few hours over the course of a week.

How does the scam work?

• The wire fraud scam usually begins when a hacker gains access to an email account that contains correspondence regarding a pending financial transaction. Employees at companies and Business to Business (B2B) firms are often targeted due to the large sums of money transferred, typically exceeding $100k. If an email account regarding a pending invoice is compromised, then anyone in that email chain can fall victim to the scam.

How does a hacker gain access to an employee’s email account?

• Same password used for multiple sites: Data breaches are unfortunately common and have occurred in many popular websites like LinkedIn, Adobe, Marriott International, Twitter, and Facebook. Password lists from these breaches can include millions of email addresses and passwords; they are available online and can be downloaded by anyone. If an employee uses the same password for their work email and another work-related website, the breached password can be used to attempt to log in to the employee’s work email address. 
• Email Phishing: Employees often receive emails from someone they think is a client or co-worker, asking them to view a document. The email contains a link that directs them to a login page, where they are asked to enter their work MS365 or Google Apps account credentials to verify their identity. However, this can be a phishing scam. By entering their credentials, employees unknowingly give hackers access to their email and company documents.

What does a hacker do once they have access to a company employee’s email account?

• The process begins with the cybercriminal examining their password lists and identifying all email-password combinations that appear to be linked to a particular company. They will then either use an automated program or physically test each email account password combination. 
• Suppose the hacker manages to gain access to Bob the salesperson’s email account ([email protected]) by exploiting the fact that he used the same password for his online sales training account, salestrainingvideos.com. The hacker will then search for all emails related to their company’s open invoices or in other circumstances, payments that their company needs to make to others. This is typically an email with prior communication in it where the individual who would make the payment is included. In this case, they discovered an email with the subject line “Invoice 0456: Construction Supplies”. The email contained an invoice that was sent two weeks prior for $500k.
• When a hacker wants to impersonate a company, they can use the existing compromised email or they usually create a new domain name that looks very similar to the original one. For example, if the real email address is bob@gogobuildingsupply.com, the hacker would register a new domain name such as gogobuildingsupplies.com and create a fake email address [email protected] to deceive people into thinking it’s the real one. The hacker initiates a new email thread with the same subject line “Invoice 0456: Construction Supplies”, which is an exact replica of the previous email. 
• In the earlier email conversations, the hacker had requested payment from the recipient, however, in this new email, they informed the recipient of a new bank account and routing number for payment. We refer to this incident as “email thread hijacking“. In this situation, the hacker excludes any person from gogobuildingsupply.com who was previously included in the conversation and now communicates directly with the client who will be unknowingly making a payment of $500k to the hacker. This happens without the knowledge of Bob or gogobuildingsupply.com until it is usually too late.

What are the next steps?

• First, contact the bank the funds were wired from and to and ask for a SWIFT recall. This has to happen in a very short period of time after the funds were sent. If not done in a day or two at most, there is a good chance this money is gone for good.
• An investigation will need to be done as soon as possible. See the investigation goals below. This is where Forensic Discovery can help.
• Each company needs to reach out to its clients and vendors to determine if any of them have been approached for payment on your behalf.
• Attempt to negotiate fund repayment by the insurance carrier or party that was at fault.

What are the important goals of the investigation?

• Historic: Determine the timeline of events that led up to the wire fraud.
• Intrusion: Determine if anyone had their email or computer compromised. If so, determine how and when it happened.
• Access: Determine what other company resources, data, documents, accounts, and emails that were accessed.
• Additional Incident Response and Remediation: Determine if there are any ongoing threats in the company and mitigate them.

What typically results from an investigation?

• Recover Funds through Insurance Claim: An investigator will identify the party at fault and recover the funds through an insurance carrier.
• Negotiation with Client: Once the party is identified,  have them pay for the lost funds. If both parties appear at fault or the investigation can’t determine who is at fault, then there is typically a split of funds.

If your company has been a potential victim of a wire transfer scam, reach out to one of our experts today to discuss your options.