Why go to the trouble of taking money out of people’s accounts if you can get them to just give it to you?
That, apparently, is the logic behind hackers who use stolen passwords and information from breaches to send fake wire transfer requests to trick recipients into approving funds transfers.
Take, for example, the Ashley Madison breach in which a Canada-based dating site was hacked and its users subsequently blackmailed via email. While at first glance a financial institution may see no immediate fraud issue with such a breach, let’s look at an example of what can be done with this type of data.
Very recently, a mid-size bank with assets over $5 billion received a wire request using a seemingly legitimate email address and password, and the transfer was sent through. Even though the contents of the email are unknown, it’s apparent the employee was disinclined to call and question a request from a director. Upon discovering this, the wire department suspended email requests for the remainder of the day.continue reading »