Skip navigation

Duo Security is now a part of Cisco

About Cisco

Industry News

Primary Defense Against New Business Email Scams: Two-Factor Authentication

Phishing emails purporting to be wire transfers are the latest ‘business email compromise’ (BEC), according to the Internet Crime Center (IC3). These are specific emails that target business executives and finance staff that are responsible for vendor payments or handling wire transfers, using either hacked employee accounts or posing as a credible supplier.

The target:

Businesses that regularly perform wire transfers and work with foreign suppliers, including those that purchase or supply goods such as textiles, furniture, food and pharmaceuticals (both ends of the supply chain).

The losses:

$210 million stolen from U.S. and non-U.S. businesses, affecting over 2,000 victims.

Different email fraud scenarios:

  • A fraudulent supplier asks a business to wire funds for invoice payment to their bank account, requesting via telephone, fax or email.
  • Or, the emails of C-level business executives are compromised, by either spoofing or hacking. The accounts are used to ask another employee, or a financial institution for a wire transfer.
  • A hacked business employee account sends requests for invoice payments to several vendors of the business - requesting funds to be deposited into criminal-controlled bank accounts.

How to protect your company:

Use two-factor authentication, the government advises. They recommend using out-of-band communication to verify high-dollar amount transactions (outside of the email environment), also advised by the Federal Financial Institutions Examination Council (FFIEC). Wire transfers and approvals should be conducted outside of email, and by using systems that are protected by two-factor authentication.

By using a secondary channel of communication to carry out authentication, you can ensure a higher level of security by avoiding interception by a hacker. For example, if your primary authentication (username/password) is sent via the Internet, your secondary authentication should be sent over a mobile network. Learn more about smartphone authentication.

They also advise that each person on either side of the transactions should use digital signatures, a way to validate and sign online transactions using public key, or asymmetric cryptography. A pair of keys is used for encryption; a public key that encrypts data and a private key that decrypts data.

Other tips include delete spam without opening, clicking links or downloading attachments, obvious for avoiding malware; and using the forward option instead of reply to respond to business emails. The reasoning behind this is to avoid responding to spammy email accounts, and ensuring you’re conversing with the actual intended person with a legitimate email account.

To avoid leaking personal information that can be used against companies in social engineering attempts, don’t announce your vacation plans or hiatuses publicly on social media. Hackers often target traveling businesses executives when they’re off the clock and less likely to detect that their email was hacked, or at least slower to realize the fact.

Two-Factor Authentication for Financial Transactions

These types of wire transfer scams aren’t anything new, though the methods that attackers use to achieve their means may vary. In one case, hackers directly stole the banking credentials of a real estate company in order to make a wire transfer of $440,000 to a bank account located in Cyprus, a small European island country, as KrebsonSecurity.com reported.

The company actually sued their bank, stating that the bank’s security controls did not provide out-of-band two-factor authentication, but instead dual-factor authentication, which required the customer to have one username/password to approve a wire transfer and another username/password to release the same transfer. Using two forms of in-band authentication is not as secure as using out-of-band authentication, recommended for financial transactions by the FFIEC as mentioned earlier.

The company didn’t win the suit, mainly because they had opted out of using dual authentication before the incident. But, they do raise a good point about properly securing access to online banking applications and wire transfer services.

Learn more about two-factor authentication and the banking/financial industry by reading:
Two-Factor Authentication for Bank Wire Transfers
Two-Factor Authentication, Financial Firms, and You
Webinar: End-User Authentication Security on the Internet
Remote Overlay Toolkit Bypasses OTP Two-Factor Authentication