Sophisticated social engineering schemes targeting business bank accounts
Authors
Melissa K. Ventrone , Jason M. Schwent
We are seeing an increase in sophisticated social engineering attacks in which threat actors impersonate financial institutions and use accurate banking information to trick employees into disclosing credentials or authorizing fraudulent transfers. Recent incidents demonstrate that these schemes are becoming increasingly convincing and difficult to detect.
Overview of Recent Incidents
In one matter, a company received a call purporting to be from its bank, stating that unusual activity had been detected on the company’s account. The caller provided highly detailed and accurate information—including recent transactions and the date of the last login—making the call appear legitimate. During the call, the employee received a text message requesting login information, which they provided. The employee quickly became suspicious and alerted company leadership, who contacted the bank. The bank froze the account immediately, preventing any loss. A review revealed no evidence of unauthorized logins to the company’s email or bank account.
In a second, more elaborate incident involving a law firm, a retired partner and the firm’s business manager received similar fraudulent calls from individuals claiming to be with their bank. The callers knew detailed account information, including authorized signers and recent transactions. While on the call, the business manager’s inbox was flooded with hundreds of emails—apparently intended to distract from concurrent fraudulent activity. At the same time, two unauthorized individuals were added as custodians on the firm’s bank account, despite multifactor authentication controls.
Within minutes, 28 transfer attempts totaling approximately $2.2 million were initiated. The bank stopped 16; the remaining ACH transfers were flagged and are believed to be frozen. The bank also reported receiving an email authorizing one of the transactions that the business manager insists she did not send. As with the first incident, there was no evidence of unauthorized logins to the firm’s bank account or email environment.
Key Takeaways
- Fraudsters are leveraging accurate account details to gain victims’ trust and legitimacy.
- Attackers may spoof bank phone numbers and deploy simultaneous “distraction” tactics (e.g., flooding email inboxes).
- Employees should be trained to terminate suspicious calls and contact the bank directly using a verified number.
- Implementing strict internal verification procedures for fund transfers remains critical, even when the request appears to come from trusted sources.
How We Can Help
Our team regularly assists clients with incident response, fraud investigations, and proactive security training to help mitigate the risk of similar schemes. If you have questions about strengthening internal controls or responding to a potential incident, please contact any member of our Privacy, Cybersecurity, and Data Protection team.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.