We’ve seen a pick up in costly fraudulent wire transfers.
Digital criminals are doing really well right now. They are making money by typically (i) stealing corporate data, (ii) threatening to disrupt operations and demanding a ransom (e.g., ransomware attacks), and (iii) online fraud where cybercriminals digitally defraud employees in the accounts team. One of the most lucrative methods is fraudulent wire transfers.
What are wire transfers?
A wire transfer is a nearly real-time bank-to-bank transaction that allows one person to move money from their account directly into someone else's account.
What is wire transfer fraud?
Wire transfer fraud occurs when company employees are deceived by fraudsters to wire money to a bank account controlled by the scam artists.
"They (digital fraudsters) use language that might be specific to the person or the company they’re targeting with invoices and emails often looking identical to a real one except for the banking details. The fraud is so prevalent because they do their research and know the target, so when the request is made for a fraudulent wire transfer, it will not be out of the ordinary for the target to receive it," explains Neal Jardine, Cyber Practice Leader at Crawford and Company. "The cybercriminals use phishing emails to gain insight into their targets behaviours and then leverage trusted relationships between individuals.”
It will happen to your clients
All businesses must accept the fact that at some point their systems or networks will very likely experience an unauthorized intrusion of some kind. Wire-transfer fraud is not specific to businesses or organizations that make wire payments; rather, anyone can be a victim of this type of cybercrime and should take every precaution to protect against it.
SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)
Speed of response is vital
In the incident we were involved in last week, digital fraudsters became familiar with how the company paid suppliers, who the company paid regularly, and if there are any outstanding balances due. They then were able to alter an invoice with their payment instructions and the business transferred money to the scammers' bank account.
The wire transfer was for several hundred thousand of dollars. Luckily, the client contacted us immediately on discovering the mistake, the Hackbusters were on the case in minutes and the Bank was able to retrieve their funds. They were lucky, many are not.
Fraudulent wire transfers cause more than financial pain
There are other losses besides monetary ones:
The potential for damage to a company's reputation; and
The employee time required to repair damage and inform authorities about the fraudulent activity.
Tips on how to prevent wire transfer fraud
Five basic tips that employees should follow to protect themselves:
Confirm email requests of both outside parties and internal parties by phone or video in case their email has been hacked. Be wary of e-mail-only wire transfer requests and requests involving urgency.
Question why a company is changing their bank payment details.
Monitor company bank accounts on a daily basis.
Check the information included on a wire transfer. One typo could send the money to the wrong person or business.
Immediately contact the involved banking institution and local police if there is any suspicion of wire-transfer fraud.
Five specific tips to business owners and senior management:
Make sure company policies and procedures regarding wire transfers and other banking activity are understood and practiced by employees.
Deliver an employee-cyber awareness program such as the BOXX Academy.
Businesses should establish procedures for incoming and outgoing payments.
If possible, require a second authenticator for all wire transfer requests over $5,000.
Make sure your employees know when a scam happens, how it was perpetrated, and motivate them to remain vigilant.
SEE: Security awareness training policy (BOXX Academy – free for Cyberboxx members)
If it does happen…
Be prepared. If illegal activity is suspected, it’s imperative to contact local law enforcement agencies and banking institutions immediately and, of course, the BOXX Hackbusters are here to help if you are a Cyberboxx member.
CEO & Co-Founder of BOXX Insurance Inc.
For more information, please feel free to contact the following members:
Vishal Kundi: Vishal.Kundi@boxxinsurance.com
Michelle Diniz: firstname.lastname@example.org
Chris Masaki: email@example.com
Mike Senechal: firstname.lastname@example.org