As finance departments get duped via wire fraud, four tips to lower risk
December 15, 2015 | by Charles Keenan
While the deluge of cyber attacks seems never-ending, one particular type of crime stands out for its perpetrators' mix of street smarts and tech savvy, sometimes draining company coffers to the tune of tens of millions of dollars.
With this scam, referred to as "business email compromise," fraudsters infiltrate company networks, posing as insiders to extract illicit wire transfers and duping managers along the way. Victims in the United States reported $748 million in losses from October 2013 through August 2015, according to the FBI's Internet Crime Complaint Center. And this is only what's being reported – the real dollar amount is likely much higher.
"It's clear to us [wire fraud] is not abating and it continues to be a significant threat," says Maxwell Marker, a section chief in the transnational organized crime unit at the FBI.
Some attacks have led to big losses. Ubiquiti Networks Inc., a technology company, disclosed in August that cyber criminals stole about $47 million by impersonating employees and targeting the finance department, according to an August filing with the Securities and Exchange Commission. Xoom Corp., an online money transfer provider, discovered an illicit payment of $31 million to overseas accounts in December 2014.
One part tech, one part savvy
In the scam, perpetrators obtain administrator passwords, often through malware sent in an email, giving them access to a company's network. Once in, the hackers can then rifle through emails, carefully studying how a company conducts its wire transfers and adopting the parlance of its executives. They also use LinkedIn to learn how the executive hierarchy works. The criminals then pose as an executive of the company, giving instructions to the home office to initiate a wire transfer. Often the payment is made to a website that is one digit or letter off from that of the legitimate domain name.
The fraudsters also use urgency to get managers to act, with phrases such as "needs to go out today," "need you to take care of" and "now." The criminals, suspected to be members of organized crime groups from Africa, Eastern Europe and the Middle East, tend to focus on businesses that have foreign suppliers or those that regularly perform wire transfer payments, according to the FBI.
"These guys are good enough that they watch the communications over time, so they are able to mimic those communications very well," Marker says. "These look legitimate – like they came from persons of authority within the companies. So a lot of times there's a reluctance to question that type of authority."
Shoring up the defenses
While it seems like common sense to have the right controls in place, why do fraudsters still get away with it, especially at a time when there's so much publicity about email fraud and cybersecurity? There's a common misconception that "it won’t happen to me," says David Pollino, fraud prevention officer at $73 billion-asset Bank of the West, a San Francisco subsidiary of Paris-based BNP Paribas Group. "Thinking about controls is sometimes an afterthought."
Generally, if the money gets transferred, companies are out of luck. "ACH transfers tend to disappear pretty quickly if they are done fraudulently," says Howard Greenstein, chief operating officer of DomainSkate, a New York-based provider that helps companies monitor malicious domains names. "It is frightening."
That means a renewed focus on prevention, experts say. Companies can go a long way to reduce risk from the scam by using the following strategies:
1. Strengthen technology. Blocking the intruders is the first line of defense, through methods like using software designed to detect intrusions and monitoring email traffic for anomalies. Vendors can also monitor illicit use of domains outside of the company and help identify which ones are real threats. DomainSkate, for example, scans hundreds of millions of domains each day and alerts companies to registered domains that could cause harm to its brand. “Companies should be looking for mistyped domains,” Greenstein says. But even so, the proliferation of domain extensions has made it easier than ever to make a name look legitimate, he adds. "There is a wide range of possible places to register a name online."
2. Institute multifactor authentication. A phone call to the executive asking for the transfer would be the simplest form of another way to authenticate a transaction. Generally it also includes use of other tools such as tokens and biometrics. Electronically signed email is another method. Each factor reduces risk. "You can get that next level of confidence that the request is legitimate," Greenstein says.
3. Change the culture. "You need to instill a healthy dose of skepticism in the workforce," Marker says. Ego needs to be taken out of the equation. "A lot of that is going to come down to leadership not being offended by the fact that somebody confirms their identity," he adds. "It's going to take a culture shift to empower these folks who are moving these transactions to take that step back and say, 'Is this really legitimate, and is it something I really should push forward on, or do I need to have a second step?'"
4. Use standard financial controls. It's hard to believe companies don't use all the standard financial controls, but as Pollino states, there's a common mentality among many executives who think it won't happen to them. Develop an approval process for large transactions, use a purchase-order model for wire transfers, confirm (and reconfirm) the transactions and stay in touch with the bank, Pollino says. He also suggests companies put themselves in the shoes of a criminal. "Think through these scams," he says. "Create controls that are appropriate for the business. Having these controls in place can really help maintain the viability of the business and minimize unnecessary losses."
Put another way, prevention efforts are a must. "This is something that is critical," Pollino says. "A seven or eight-figure loss – even at a medium-sized or large company – could mean the difference between making money and the ability to stay in business."