Verizon's RISK Team investigative response liaison replied, “It happens all the time. Threat actors use social engineering tactics to fool someone into processing a fraudulent wire transfer.”
“I thought, sure, it happens all the time, but this couldn’t possibly happen to us. After all, as the CIO, I provide written approval for all wire transfer transactions within our organization. I was confident we had enough checks and balances in place to avoid fraud occurring,” the CIO said in the report.
One day the finance director came to the CIO’s door with a manila folder in hand. She proceeded to say that as part of a monthly audit, the finance department was missing an international tax form for a wire transfer that had occurred three weeks prior. This missing form had prompted her to request it from the accountant who originally submitted the request for the wire transfer.
“When she asked him for the form, he could not recall the details of the transfer. Since I had approved the transfer, she thought she would ask me if I could offer some assistance in ‘jogging his memory,’” the CIO said.
As part of the company’s wire transfer process, the accounting team must first email an invoice to the CIO containing the company name, services provided, bank account information and invoice amount. The CIO reviews the invoice and replies by email with an “approve” or “deny.” If approved, the accountant then forwards the email, invoice and tax form (if applicable) to the Wire Transfers Department. This department then reviews the information for accuracy and processes the wire transfer.
In this case, with the exception of the accompanying tax form (which isn’t required immediately upon completing the wire transfer) all of these things happened — except the CIO, too, could not recall providing the approval for this wire transfer. The finance director showed the CIO the email in which he approved another wire transfer to the same bank account just three days prior to the one in question.
“We weren’t talking chump change here: This was a significant amount of money, like buying a Rolls-Royce Phantom in a couple of different colors kind of money,” the CIO said.
The RISK Team examined the email header information and confirmed that the wire transfer request did come from the accountant’s internal corporate email address. However, they noticed the purported CIO’s email address was off by one character. Verizon explained that it was originating from an external email service. The RISK Team confirmed someone had registered a domain very similar to their client's just a few days before the wire transfer emails were sent.
“We now knew how the threat actor was able to provide the approval email, but I still wanted to know how the emails originated from the accountant’s corporate email account,” the CIO said.
Sign up for CIO Asia eNewsletters.