Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.
Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.
The attackers then crafted the following email, sending it to personnel at each victim’s respective local WNB bank branch.
Can you please update me with the the available balance in my account and also the information needed to complete an outgoing wire transfer for me today,i am on my way to my nephew funeral service but i will check my mail often for your response.
Wade Kuehler, an executive vice president at WNB, said bank personnel followed up on two of the requests, ignoring the request not to contact the customer via phone. In both cases, the customers were grateful for the contact, saying they had not sent such a request.
But the thieves struck paydirt with the third attempt, when a sympathetic associate at the bank responded to the message with the requested balance information. The follow-up email from the thieves included instructions to wire money to an account at another bank, and the assistant helpfully processed the transfer.
Kuehler said WNB assumed responsibility for the loss, which he would describe only as “small,” and that the employee had been disciplined. “This particular customer did have [an email history] with an account officer who was doing what she believed is her job: Taking care of customer.”
Kuehler added that he’s heard from other banks — particularly other small and regional institutions — that have also been the subject of such attacks recently.
“The common thread is these are legitimate e-mail accounts that have been hacked,” he said. “The hacker then e-mails anyone in the address book that appears to be associated with a bank.”
JB Snyder, principal and CEO at Bancsec, a company that specializes in network security and penetration testing for banks, said these attacks — even ones as sloppily executed as the email above — work because they target the world’s oldest and most reliable security vulnerability: exploiting trust relationships, a.k.a. “social engineering.”
“The wild thing is that even this hokey scheme works enough to be profitable,” Snyder said. “We’ve proven this with similar vectors. The bottom line is that a giant percentage of today’s business is conducted via email alone without further verification, so the possibilities are endless.”
Email accounts typically are hijacked in one of three ways: through phishing, malware or via brute-force password guessing/reset attacks. To sidestep phishing attacks, avoid clicking links in email (booby-trapped links also frequently lead to malware), and only log in to accounts after loading the login page from a local browser bookmark. Krebs’s 3 Basic Rules for Online Safety keep most users out of trouble with malware. For some tips on picking strong passwords, check out this primer.