Wire transfer phishing results in billions of dollars lost every year — and the problem is only getting worse. That’s why leaders and security experts are increasingly worried about this damaging form of cybercrime.
In this article, we’ll be answering the following questions:
- What is wire transfer phishing?
- How does wire transfer phishing compare to other social engineering attacks?
- How can your organization defend against wire transfer phishing?
We’ll also be taking a look at one of the biggest cybercrimes in history — a sustained wire transfer phishing scam against Google and Facebook.
What is wire transfer phishing?
Also called “wire transfer fraud,” wire transfer phishing is a type of social engineering attack that uses impersonation to trick the victim into transferring money to the attacker.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
How wire transfer phishing works
Like other social engineering attacks, cybercriminals use several methods to carry out wire transfer phishing against organizations and individuals. But, we can offer a “typical” example of this kind of attack.
As fundraisers, it is not uncommon to receive emails involving financial information. For example, one morning, you get an email from Jane accounting — someone who has emailed invoices regularly for the past five years. As always, Jane is friendly. She provides a normal-looking email explaining that she did not receive a recent gift and if it would be possible to send that money over as soon as possible.
You provide the gift information in the usual way, using the bank account details provided. But you didn’t realize that Jane’s email address was subtly different this time — instead of the usual firstname.lastname@example.org, the email came from email@example.com.
You just fell victim to a wire transfer phishing attack — and paid money into a cybercriminal’s account.
Wire transfer phishing vs. other types of phishing
There are many types of phishing. But they all have one thing in common: the hacker tries to trick targets into handing over information, transferring money, or granting access to networks.
Wire transfer phishing aims to trick the victim out of money by persuading them to transfer money into the attacker’s bank account. Below are other types of phishing motivated by a financial incentive.
- Credential phishing involves creating a fake website that looks like an account login page. The target believes they are logging into an online account. But in fact, they are sending their username and password to the attacker.
- Payroll diversion is where a scammer impersonates an employee and provides new bank details to an HR department.
- Gift card phishing involves persuading the target to purchase gift cards or make a payment via gift cards.
But there are plenty of other “types” of phishing. While phishing typically refers to an email-based social engineering attack, hackers can also use different delivery methods. For example:
- Smishing is a type of phishing that takes place via SMS message.
- Vishing takes place over the phone or Voice over IP (VoIP) software.
- Social media phishing takes place over social media platforms.
Wire transfer phishing could occur via SMS, phone, or social media — but email is much more common. Additionally, some types of phishing are defined by how they target victims. For example:
- Spear phishing is any phishing attack that targets a specific individual. A spear-phishing email opens with “Dear [name],” whereas a bulk, “spray and pray” phishing attack addresses no one in particular.
- Whaling is any phishing attack that targets a senior executive. High-profile targets typically have easier access to more significant funds.
- Business email compromise (BEC) involves spoofing or hacking a company email account (for example, firstname.lastname@example.org).
Wire transfer phishing is very likely to involve spear phishing. After all, you’re not very likely to hand over money to an individual that doesn’t even use your name. Business email compromise and whaling also usually involve wire transfer phishing.
Recognizing wire transfer scams
Recognizing wire transfer scams can be extremely difficult. But, even the least sophisticated scams share some hallmarks, including:
- A sense of urgency — The person requesting a fraudulent transfer will often claim that the money is needed immediately or threaten late payment fines.
- Unsolicited contact — If you receive a request for money from a company you’ve never dealt with, this is likely to be a phishing scam (of inferior quality).
- Unprofessional communication — Phishing emails might be written in an unprofessional tone or contain grammatical errors.
These traits are rarely present in successful wire transfer attacks, which can involve impersonations of specific people and careful recreation of invoices that appear identical to genuine documents.
Running employee training programs
It’s essential to make your employees aware of wire transfer phishing and other security threats. But employees should never be the last line of defense.
Phishing techniques have become so sophisticated that even the most tech-savvy employees can miss them (including the NSCS’s cybersecurity experts). Humans aren’t good at recognizing subtle changes in behavior and identity — no matter how much training they receive. That’s why email security is essential.
Interested in learning more about the pros and cons of phishing awareness training? Read more here.
In addition to deploying email security software and increasing staff awareness, your team should take steps to validate wire transfers before making payments. For example:
- Keeping careful (and secure) records of vendors’ bank details
- Verifying payments over the phone where practical
- Contacting the payee directly where there are any concerns
These validation processes are important, but they can take time and resources — and they’re far from foolproof, as we’ll see below.
Case Study: Facebook and Google $121 Million Wire Transfer Scam
In 2019, a Lithuanian national named Evaldas Rimasauskas appeared in court in New York. Rimasauskas pleaded guilty to participating in the biggest phishing scam in history and received a 5-year prison sentence.
Between 2013 and 2015, Rimasauskas and his associates used wire transfer phishing to scam Facebook and Google out of around $121 million.
So how did this team of cyber-criminals trick two of the world’s largest tech companies into giving up so much cash?
First, the group set up a company with the same name as a genuine Taiwanese computer manufacturer that supplied Facebook and Google with hardware — “Quanta Computer.” Then, Rimauskas set up bank accounts in the company’s name across Latvia and Cyprus.
The scammers then emailed Facebook and Google employees from fake spoof accounts pretending to be Quanta Computer employees. These emails were convincing enough to persuade the tech firms’ staff to pay invoices into Rimasauskas’ phony bank accounts.
Once the cybercriminals had received payments from Facebook and Google, they quickly transferred the money to a network of accounts across Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.
How did the group get away with making such substantial transfers for so long? Didn’t the receiving banks question where this money was coming from? The group also created fake invoices, contracts, and letters — purportedly from the tech firms’ employees — to verify the transfers.
What can we learn from the Rimasauskas case?
- Even employees at well-resourced, tech-oriented firms can fall victim to wire transfer phishing.
- As well as impersonating people you know, scammers can set up companies with the same names as your service providers.
- Banks can’t be relied upon to prevent fraudulent wire transfers.
It’s hard to deny the cleverness of Rimasauskas’ scheme. If Facebook and Google — two of the wealthiest companies on the planet — can lose $121 million this way, then any company could fall victim to a similar scam.