Canadian bank used in attempt to trick firm in wire fraud

Breach reports on banks usually deal with attempts to gain passwords and drain user accounts. However, attackers can also open or hack an account to use it as a transit point for a criminal transaction.

An American branch of the TD Bank was apparently used that way by an attacker who tried to trick a staffer in the financial office of security vendor Watchguard Technologies into wiring US$20,000 to the account as payment for some of the company’s products.

As outlined last week in CSO Online, the attack started with a classic spear phish email from a person who purported to be the staffer’s manager, using the name in the “From” part of the email header. However, the email’s source address was a seven-digit number at That, along with the fact that the request ignored the official chain of command and finance protocols, made the employee alert the company.

A Watchguard researcher then took over to pretend to be the employee, hoping to track down the attacker. The researcher texted the attacker using a disposable phone number, who told the researcher about the urgent fund transfer to a TD Bank account. To trick the attacker who was expecting a wire transfer confirmation message, WatchGuard masked the IP address of a honeypot server behind a URL-shortener and sent it to the attacker disguised as a confirmation link. The researcher then traced who clicked on that link. It came from Nigeria.

It isn’t known if the bank account was legitimately set up by the attacker, or if it was hacked. WatchGuard notified TD Bank about the matter, so we called them and asked if it had investigated and what it found. A bank spokesperson wouldn’t say much.

“As always, the safety and security of customer information is a top priority for TD,” the spokesperson said in an email Thursday. “We have multiple safeguards in place, but in the event that a transaction is suspected of being unauthorized, we conduct an investigation. There are steps everyone can take to help protect themselves against fraud, including: never sharing or writing down your Personal Identification Number (PIN) used for account access cards or credit cards; regularly changing your passwords and ensuring banking credentials are different than day-to-day passwords (ex. email, online retailers); refraining from opening unexpected links or attachments; never disclosing personal, confidential or financial information via emails; and regularly reviewing your bank account and credit card statements for suspicious transactions.”

The incident is another example of why — despite the frustration of some CISOs on the effectiveness of warnings — thorough security awareness training can be valuable, particularly among staff who handle money. It’s also an example of how a well-trained security team can track down some information about attackers which may help defences.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now