Australian businesses targeted by internal wire transfer email scam
21 October 2014
Businesses and employees should be aware of a highly targeted and convincing phishing scam targeting individuals in Australian organisations with financial sign-off, such as the Chief Financial Officer (CFO).
The email typically appears to have been sent by another senior executive within your own organisation, such as the Chief Executive Officer (CEO) enquiring about, or requesting, a wire transfer of money to an international bank account.
The emails are well crafted, and use the individual’s names and in some cases, nicknames or colloquialisms to appear genuine.
This is a well organised scam involving research and planning to obtain and mimic the names and details of senior staff with financial responsibility.
Examples of the emails include:
From: Senior Executive’s Name senior.executive[at]victim-company.com.au Subject: Important Request
<CFO’s first name>, Per our conversation, I have attached the instruction for the wire. Let me know when sent. Thanks <CEO’s first name, or abbreviated first name> <A PDF with wire transfer bank details may be attached>
From: Senior Executive’s Name senior.executive[at]victim-company.com.au Subject: Wire Transfer
Hello <CFO’s first name>,
Can you please email me the details you will need to help me process an outgoing wire transfer to another bank. Please kindly note that I can't take calls right now due to meetings, therefore, I will appreciate swift email correspondence.
Hope I am not bothering you too much with this?..
The Reply-To address will also usually include the senior executive’s name, often at a random address such as an official looking company address (or misspelt version), or a free domain such as Hotmail, Gmail or AOL.
CERT Australia reports that numerous Australian businesses have been targeted by this scam. Individuals who have responded to the email have received requests for transfer amounts between a few thousand and more than a million dollars, depending on the size of their organisation.
CERT Australia recommends the following:
Alert employees to be vigilant with regard to these incidents, especially those conducting or authorising wire transfers or similar financial instruments.
Do not reply to the email.
Sender Policy Framework (SPF) checking should be implemented to detect and prevent sender address forgery.
Review network logs for evidence of the indicators provided in this Alert. Specifically, emails relating to this Alert have been observed since 2 October 2014.
Configure mail servers and mail scanners to block and remove emails with the indicators below.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.