Halkyn Security Blog
Specialist Security & Risk Management Consultants

Finphishing – 8 steps to criminal profits

FinPhishing – or financial spear phishing – is a form of social engineering attack which is becoming massively profitable for the criminal enterprises involved. Unfortunately for the victims it is very cheap to deploy and nearly always gets past technological security controls such as spam filtering and malware detection.

FinPhishing - short and succinct message, simple to generate but potentially deadly to the victim.

FinPhishing – short and succinct message, simple to generate but potentially deadly to the victim.

As a result of this, businesses across the globe are losing fortunes in fake wire transfers to overseas bank accounts with only limited hope of ever getting their money back.

FinPhishing (under various names) isn’t new – there are reports of Scoular Co.,(a US based private equities trader) losing $17.2m to a FinPhishing attack in June 2014. This has been followed in January by the Internet Crime Complaint Centre reporting that US businesses had lost $214m to scams similar to this in the previous 14 months.

More recently, in early August, Ubiquiti Networks disclosed a loss of US$46m to a FinPhishing scam which was discovered in June.

FinPhishing is big business for criminals.

What is FinPhishing

In summary – financial spear phishing (FinPhishing for ease) is a type of social engineering attack which tricks the victim into making a large sum transfer to a bank account managed by the attackers.

The attacks are all very similar and rely very heavily on corporate culture to work. Unfortunately the tendency of designers to make email user interfaces more “user friendly” actually helps the attacker here.

The FinPhishing Attack

The screenshot accompanying this post shows an initial finphishing email received by a target company. From this we can see the key elements of how the attack is constructed:

  1. Attackers look over public websites for information to identify the business structure. This includes obvious sites such as LinkedIn but also ones people don’t tend to directly post their own data to, such as ZoomInfo.com.
  2. Once they build up your organisation chart, they try to identify a person in a position of authority (CEO, MD etc) and a person working in a finance role. The finance person is now the target of the attack (victim).
  3. The attackers craft an email looking like it has come from the CEO/MD etc., often including the correct email address in the message “From:” field, but it will have a different email in the Reply-To or X-Sender headers.
  4. The message makes a terse request about sending funds for some urgent business activity. The brevity means it bypasses most spam filters and the lack of payload or malicious link allows it to bypass AV or threat monitoring.
  5. The victim reads the email and it looks like it is legitimately from the CEO/MD – unfortunately most email systems only show the From address – so they reply either asking for more details or in some cases starting the process.
  6. Very alert victims may notice the email client now shows a new email address in the “To:” box but this is actually very rare and sophisticated attackers can mask this.
  7. Once the victim responds, the phishers know they have access to a live person who at least partly thinks the request is legitimate and they can begin the second stage of the attack which is an initial transfer of a reasonably small amount of funds (often in the $50 – 100k region).
  8. If this works, the attackers will go all out and generate increasingly urgent, demanding requests to get as much as possible before they are detected.

Security measures

At its core, FinPhishing is just a social engineering attack. This means you need to concentrate on the people involved.

  • Provide all your workforce security awareness training which emphasises the risks from social engineering attacks.
  • Ensure anyone working in finance understands what this sort of attack looks like and what to look out for in a phishing email.
  • If possible configure your mail clients to give as much detail as possible about the message headers.
  • Establish authorisation processes so that no one can transfer large amounts of money out of your business without solid confirmation – no matter how urgent it may be.
  • If you are caught by this scam alert your bank and  involve the police or law enforcement as quickly as possible. Recovering funds is always going to be difficult, so any delay will just make it worse.


FinPhishing is cheap, easy and lucrative. This means there is currently little or no incentive for attackers to stop and the low technological requirements mean that even if current attackers are caught and move on, others will fill the gap.

The best, possibly only, defence is to ensure you have robust processes and alert staff. If you do fall victim to an attack, make sure you can react quickly and hopefully you will save your business.

Similar posts
  • Memory analysis in incident response ... Incident response is often a stressful, high-pressure situation. Responders are desperately trying to claw together information. All around them the world is collapsing. Furthermore, everything important seems to be deleted or obfuscated. Yet it is not all doom and gloom. They have memory analysis. Life can be hard for the incident responder. You are faced [...]
  • Checklist or your memory, is one bett... Quite rightly, security professionals are proud of how much information they hold in their heads. There is no doubt that to be effective you need to have immediate access to lots of different concepts. However, the really effective ones also have a checklist. First off – the problem. Lots of certificate exams are memory tests and [...]
  • Threat Hunting – essential for ... Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake. Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an [...]
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
%d bloggers like this: