Email and ACH, A Deadly Combination

Email, the phisherman’s paradise, the hacker’s delight, the criminal’s new hotness can be deadly when combined with crucial and private information.  Ok, so maybe not deadly, but certainly able to cause enough stress to create an ulcer. 

Here at the HubWise we’ve seen some interesting things going on with email lately, specifically around bank account and routing numbers, social security numbers, and credit card numbers. 

Two years ago, getting your email hacked usually meant someone was using your email account to send out a bunch of spam to either your contacts or more likely, the world at large.  While this was annoying, and generally irritated people, the worst the usually happened was that you ended up on a blacklist and couldn’t get your emails delivered for a few days while you cleaned up the problem.  This has changed dramatically recently. 

We are now seeing that when email accounts get hacked, or more likely, a user provides their username and password in a phishing email, the criminals that access the account don’t do anything for a while.  They just watch.  They see what emails you send and received, they start to understand the inner workings of your organization and its org chart, and they monitor your calendar to see what you are doing. 

Why?  Because when they know who you communicate with and the roll that they are in, they can then use your email to get someone else to do something they wouldn’t normally do. 

Here are a couple of specific examples. 

The CEO of an organization was in China scouting new locations and manufacturing plants for their business and their international expansion.  The whole company knew she would be out of the office and had a pretty good idea of what the trip was about.  The CFO, who did not accompany the CEO on the trip, was very aware of it and its purpose.  So, when the email from the CEO came in and asked for $250,000 be transferred to a bank account in China, he didn’t question it.   The money was sent immediately.  The CFO replied to the email, saying it was done.  When the CEO called the next day, the CFO made a passing comment asking about the transaction and the CEO’s response was one of shock.  She had not made the request and was surprised to hear to was made. 

The Information Security team investigated, found that the CEO’s email credentials had been compromised, the hacker had setup rules in her email box automatically deleting all email received from the CFO, so any response sent would never be seen.  They then noted that the CEO was to be in China and then sent the email during that time.  The money was not recovered. 

Another situation involved a 401(k) disbursement request.  An ex-employee of a company had requested his funds be rolled over into his bank account.  He filled out the form, put his bank account information on it and emailed it to his former employer.  The controller forwarded the form to their 401(k) manager, who then forwarded it on to the investment bank. 

The employee called their former employer a few days later and told the controller that the money hadn’t shown up in their bank account.  The controller called their 401(k) manager and was told the money was disbursed a few days after the form had been received.  The manager and the controller ended up comparing the routing and bank account numbers on the form, and they didn’t match. 

After investigating the incident, it appeared that the 401(k) managers account had been compromised.  The people watching the account saw the email come in, copied it, then deleted it out of the managers account so it wouldn’t be seen.  Five hours later, an email was sent from a spoofed email account to look like the controller had sent it, and it included the exact attachment originally sent, with the bank account and routing number changed.  The managed was none the wiser. 

Luckily the investment bank was able to reverse the funds from the wrong bank and recover the money before the account was emptied. 

These are just two examples of the many of what we are seeing criminals doing in the wild.  And they are scary.  So how do you protect yourself? 

First and foremost, if you are sending critical information via email, unless it’s encrypted, stop doing it now.  All HubWise customers are subscribed to HubWise ChainMail which provides email encryption built in.  It also automatically detects social security numbers and credit card numbers and encrypts those, so if you forget to mark the email, it will still be protected. 

HubWise ChainMail Compete combines with HubWise Spark to provide AI monitoring of your email accounts.  If it notices something odd going on with your email, for example sending emails you normally wouldn’t send or sending at odd times, it will flag a ticket and let us know.  It also monitors your inbox rules to ensure they are not being changed. 

Even with all of this in place, like a warm security blanket on a cold winter’s day, you also need to be vigilant about what you click on.  Compromised email credentials can lead to both of the above examples, and it doesn’t even need to be yours that are compromised to cause problems. 

Sometimes even the best security feature may not be technology related, pick up the phone and make sure what you send was received properly.