The following is provided by John Burton, President of AIV member NPI, a technology management company located in South Burlington. For more information, call (800) 639-6091, or go to www.npi.net.
Business owners are seeing a huge increase in attempted wire fraud. The FBI reports that this problem has cost companies billions of dollars in the last few years. The number of wire transfers has significantly increased in the last 15 years and, sadly, one in four victims actually transfers money to thieves.
Targeted email phishing attempts are very successful but some attempts also come over the phone. Recently several businesses in my area fell victim to wire transfer scams that cost them in the six figures–not to mention their damaged reputations.
Unfortunately, the primary targets for wire fraud have been small-to-medium-size businesses because they tend to be easy targets.
The best way is to prevent fraud is before the transfer is initiated.
Just another day in the office
The accounts payable person typically receives a constant stream of emails about invoices coming due. Often the tone is relaxed and asks about their family or other interests. Some mention that a late payment for the invoice could result in a 20 percent surcharge if not handled immediately. Everything looks right including the correct names and the vendor’s invoice and format. As usual, they submit the invoice for payment without giving it another thought. But in their rush to avoid a late fee, they don’t realize that the email is actually from firstname.lastname@example.org instead of the vendor’s real email email@example.com.
Some fraudulent requests are for millions of dollars but often they involve smaller amounts to help overcome the controls that kick in for larger amounts. If the scammer is successful in a preliminary request, they may continue to submit invoices until the scam is detected. Once the funds have been wired, recovering them may only be possible if detected within the first 48 hours.
Three components of a wire transfer attack
Reconnaissance – Cybercriminals use the web and social media to research key decision makers and find details about your money transfer protocols.
Messaging – They buy a domain name and email addresses almost identical to the targeted company. By monitoring social media accounts belonging to key executives they learn about travel plans, meetings and vacations. Once they confirm that the person is out of the office (often through a telephone call) they exploit the absence by sending emails to targeted staff members. Many employees who receive an email requiring immediate action from a senior executive will promptly complete the request without questioning the content.
Criminals often provide instructions for wiring money, along with account details, via email. More elaborate schemes instruct employees to wait for further instructions from a fictitious company lawyer or advisory firm.
Techniques to stop wire transfer fraud in its tracks:
- Carefully validate any new or changed payment instructions
- Speak with the requester using the on-file telephone number
- Encrypt all wire transfer authorizations; the attacker would need physical device access to send an encrypted email
- Carefully check the email headers for the origination address
- Require multiple approvals for large wire transfers
- Reply to the sender using the on-file email address only
- Use digital signatures for wire transfer emails
- Document a well-established process for wire transfers; train and test frequently
- Set up stronger authentication to validate wire transfers
- Investigate any suspicions before transferring money
- When in doubt, wait until 100% sure before transferring funds
If your business falls victim to phishing or wire transfer fraud, use the event as an opportunity to improve your internal controls and train your staff about fraud. In the fight against fraud, taking the time to follow well-documented processes—and always double-checking—is the key to staying safe.