Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Cybercrime and your money: Banking on human error

May 08, 2020

Hackers are using increasingly sophisticated techniques to siphon money out of businesses, but most cybercrimes still hinge on a company’s weakest link: its employees.

Malicious attacks on businesses increasingly involve social engineering, with hackers impersonating senior management to direct unauthorized payments to their own bank accounts. The cost of these attacks, along with others such as phishing or malware, is on the rise, and the potential increase in cybercrime during the COVID-19 pandemic risks pushing it higher. 

Cybercrime losses rose to $13 million on average for U.S. and European companies reporting attacks in 2019 — a 61% increase from the previous year. Ramping up investment to strengthen systems and educating staff to tighten up security are vital for companies to fend off costly attacks and stay in business.

Here’s the lowdown on cybercrime and your money.

Hacking through identity theft 

When an email from the chief executive lands in their inbox, most employees will likely drop everything to respond as quickly as possible. But what happens if a request from the boss asking an employee to urgently process a hefty payment is actually fake? 

It’s this type of social engineering or impersonation attack that is catching employees off guard. 

As with most cybercrimes, hackers first need access to a company’s systems. Poorly protected virtual private networks with single-step authentication and browser-based webmail accounts are often the weak spots hackers target. 

Hackers may set off automated “password sprays,” which generate endless commonly used password options in the hope one eventually works with the executive’s username to allow a hacker into the system. 

Other tactics could involve “credential stuffing,” a process by which hackers use details stolen from other accounts held by the CEO to see if the usernames and passwords are the same. If that doesn’t work, the hacker may setup a lookalike email domain and account and count on the victim not reading the “from address” closely.

Experts at identity theft

Once a hacker has found their way into an executive’s email account, they may choose to bide their time as they slowly start to put their plan into action. 

It’s often easy to get an idea of a company’s reporting structure simply by skimming through its website and corporate filings. But to successfully use a CEO’s email, a hacker could lurk in their inbox for several weeks. Doing so gives them a chance to read the executive’s emails and build up a comprehensive picture of who they contact on a regular basis and the issues they’re discussing. 

Importantly, it also gives them an idea of the language, style and tone of voice the CEO uses in their messaging, so the hacker can pass it off as their own. 

How social engineering attacks work

Social engineering attacks often play on personal relationships and exploit the willingness of people to help out in an emergency situation. Once a hacker is ready to strike, they may start sending out emails to employees asking for small requests, covering their tracks by deleting sent messages and replies. 

In one common scenario, the “CEO” says they’re scheduled to go to a major conference and want a batch of gift cards from a major online retailer to give away to clients at the event. Could the employee buy them, scratch off the silver foil and send the CEO the individual card numbers? 

After the hacker has that information, they can then use it to make purchases.

Hacking through CEO email

A hacker might get only one chance to employ identity theft of the CEO to try to steal large amounts and so will often use a more aggressive and urgent-sounding tone when it comes to the main event. 

“We’re just about to close on a new acquisition. Wire $300,000 by midnight” reflects the type of message they may send to the company’s finance team.

The hacker hopes the pressure of a tight timeline will convince the company’s controller to release money quickly, potentially overriding any checks and balances along the way. 

Once the wire transfer arrives in a hacker’s fake bank account, the money is swiftly switched into another and then effectively disappears, often overseas. Less than 1% of cybercrime proceeds are ever recovered.

Hacking using social engineering and more

Some social engineering attacks simply rely on rudimentary impersonations. Hackers often set up dummy company websites and email accounts that at first glance look like the real deal. 

The chances of success are lower than more sophisticated hacking strategies, but emails sent from fake sites and addresses requesting money continue to fool many people who don’t take time to carefully check their origins. 

Fraudulent bank accounts 

Payments to vendors and suppliers can be another risk area for companies. If hackers have gained access to your systems or commandeered email accounts, there’s a chance they could con accounts payable departments into paying official-looking invoices to fake accounts. 

And a strong word of warning: The liability for transferring money into fake accounts nearly always rests with the company that provided the information, rather than the bank that processed the transaction.

Protection against risk from hackers  

Cybersecurity experts suggest companies adopt the mantra “identify, protect, detect, respond and recover.” But in reality, few companies have sufficient protection from hackers bringing costly cyberattacks that could even force them out of business.

Companies should see investing in cybersecurity technology to adequately protect their systems like a form of insurance to protect against loss. By ensuring that staff tighten security and learn to recognize the signs of potential attacks, companies can turn their weakest link into a formidable strength. 

Need help determining your next step? Contact your Wipfli advisor for help.


Tom Wojcinski
View Profile
Get free cybersecurity tips
Get 30 free cybersecurity tips over 30 days during National Cyber Security Awareness Month
Sign up