Security PSA: SVB collapse presents ripe opportunity for counterparty fraud

· 2 MIN READ · GREG NOTCH · MAR 13, 2023 · TAGS: MDR

Blog updated on March 16

What happened?

Following the collapse of Silicon Valley Bank (SVB) and the resulting uncertainty throughout the banking sector, many vendors and suppliers will be updating their banking information. Accounts receivable (AR) departments will reach out to accounts payable (AP) departments with new routing and account numbers at a much higher volume than usual.

Why does it matter?

An increased volume of bank account switching presents a massive opportunity for payment counterparty fraud. If an attacker is able to deceive someone into altering a few account and routing numbers, they can direct money to themselves, rather than your vendor or into your own accounts. Often this begins with compromised or forged emails resulting from business email compromise (BEC). Depending on the size of your environment, this may go unnoticed for some time. By the time you detect the attack, you could be out a significant amount of money—and you’ll still owe your vendor.

What’re we doing?

At this time, we’ve begun to see SVB-themed phishing submissions. Expel has created several YARA detections to identify phishing attacks affiliated with SVB and is assessing new detections for both our phishing and managed detection and response (MDR) offerings.

What should you do right now?

Validate account changes with known contacts at the counterparty where possible. Don’t do this via email if it can be avoided (in case either your email or the other party’s is compromised). Confirm receipt of a test deposit of a nominal value prior to making a bank account change for your vendor.

This takes a bit more effort, but there’s little doubt fraudsters will try to take advantage of the turmoil.

What can you do longer term?

BEC isn’t new. It accounted for over half of all cyber incidents last year (according to our annual threat report), and remains the top threat facing our customers. We also saw threat actors targeting human capital management systems—specifically, Workday—with the goal of payroll and direct deposit fraud. Situations like what’s happening with SVB only exacerbate the opportunity for bad actors to exploit people as they scramble to ensure their finances are protected—and prevention starts with proper training.

Make sure employees are trained to recognize potential red flags associated with phishing emails. Spend time educating specific business units about the phishing campaigns that might target them. In this example, finance teams might encounter financial-themed campaigns with subject lines such as “URGENT:INVOICES” or “bank change” (and they may even reference SVB directly).

Once employees know what to look for, make it easy for them to report any suspicious activity. We recommend implementing a system for employees to validate suspicious emails or texts, allowing IT to provide guidance to the individual and giving security teams enough insight to identify trends that might indicate a larger scale attack early on.

These trainings can mean an investment up-front, but they’ll pay dividends in the long run.

What next?

With the collapse of SVB, there’s always the potential for further turmoil within the banking industry (we also saw the shuttering of Signature Bank over the weekend). As these events unfold, we’ll continue working with our customers to help protect them from bad actors looking to exploit the situation.

By the way, not an Expel phishing customer and think you’d like to be? Reach out.