FOVI is a fake bank transfer scam in which the victim is tricked into transferring funds to a fraudulent bank account.

Also known as "president fraud", this scam targets companies of all sizes and in all sectors, without distinction. The fraudster tries to convince an employee of the target company to make an urgent money transfer to a third party. To achieve this, the fraudster pretends that the request comes from management and is therefore legitimate (CEO, CFO, member of the management committee, etc.).

The scammer may claim, for example, to be paying off a debt or honoring a contract with a new partner. The urgent nature of the request is repeated time and again. Sometimes, the cybercriminal may pose as a supplier and ask the treasury department employee to send the payment to another bank account, claiming to have changed the RIB.

As a general rule, the perpetrator of the attack learns about the company in advance, enabling him to refine his pitch and adopt a convincing and persuasive tone, the key to the success of his scam. This is all the more dangerous as the consequences are often disastrous for the victimized company.

The fraudsters' modus operandi 

  1. The attacker analyzes the company's environment by retrieving information published on the Internet (sector, organization chart, customers and suppliers).

There's a wealth of information available on the Internet, and with a bit of research, you'll be able to find precise information about your company's sector, business environment, customers and suppliers.

Recruiting information or organizations, often available online, can provide precise knowledge of how a company operates and how it is organized.

This information enables the attacker to legitimize a request, posing as a member of the company concerned.

  1. The attacker creates a false domain name similar to that of the company or usurps the identity of an employee (following a data leak, for example).
  • Typosquatting, which consists of registering a domain name that is similar to the company's name, but with one character changed, as if it were a typing error.
  • Cybersquatting, which involves changing the site extension (.fr to .com or .eu)

Deploying social engineering techniques, the attacker then sends a very specific and urgent e-mail to an employee, often posing as an executive and requesting payment.

Several scenarios are possible

The attacker may pose as a member of the target company, or of a legitimate organization such as the tax authorities, in order to obtain contextual information. The aim is to make the target's requests for information about the company's customers credible: outstanding or unpaid invoices, people in charge of payments and purchases, validation processes in place...

The attacker may also seek to supplement contextual information already retrieved elsewhere (from the website, social networks, the press, etc.), to lend credibility to the fraud which will then be launched with the company, posing as a supplier, for example. In this way, the attacker can use precise information contemporaneous with a current payment or order to lend credibility to a fake bank transfer order.

The attack can take several distinct forms 

Fraud on the president 

The attack can take the form of a fraud on the president, from which it takes its original name. It may be an urgent request. Allegedly validated by a high authority (the CEO himself) and urging an employee to make a payment without delay. The urgency mentioned and the credibility of the request may induce an employee to make the payment. In this case, the attacker will usurp the identity of a person inside the target company, by means of an e-mail (false domain name or fraudulent access to an internal company mailbox) or a telephone call.

Request to change bank details 

The attack can also take the form of a request to modify a supplier's bank details. The aim here is to ensure that the next payment from one or more customers is credited to the cybercriminals' bank account, instead of the account of the company targeted by the attack.

Creating false invoices 

Finally, the attack may involve the creation of false invoices inviting the targeted company to pay these invoices into the cybercriminals' account. Here again, the context of this request, through the preparatory work of the criminals, may be entirely legitimate.

 

How can I protect myself against bank transfer fraud? 

Make your employees and managers aware of the risks: in particular, receiving fraudulent phishing messages aimed at stealing their passwords, especially if your e-mail services are hosted or accessed externally.

Distribute clear procedures to authorized staff on rules for authenticating issuers, confirming unexpected transfer requests or validating changes to bank details.

Set up a non-waivable internal verification and validation procedure for unexpected transfer requests or acceptance of changes in bank details.

Make sure you limit the publication of information (website, social networks, etc.) that can be used to identify and contact your employees authorized to make transfer requests or change bank details.

Generalize the use of strong passwords for e-mail accounts and activate double authentication to limit the risk of hacking.

banking fovi fraud awareness transfer