[BreachExchange] How to prevent wire-transfer fraud: Tips for SMBs

[Inga Goddijn]

https://www.techrepublic.com/article/how-to-prevent-wire-transfer-fraud-tips-for-smbs/

Phishing is very popular with cybercriminals. Phishing is a method whereby
cybercriminals digitally defraud users; something that is not often
discussed is what digital-scam artists do with the information they obtain.
One of the more lucrative digital crimes is fraudulent wire transfers.
*What are wire transfers?*

A wire transfer
<http://mysecurityawareness.com/article.php?article=393&title=whats-the-difference-between-ach-and-wire-transfers>,
according to MySecurityAwareness.com, is a near real-time bank-to-bank
transaction that allows one person to move money from her account directly
into someone else's account. "When a wire transfer is made, both account
holders are verified, as well as the amount of money in each account," adds
the My Security Awareness website.
*What is wire-transfer fraud?*

Wire-transfer fraud occurs when company employees are deceived by
fraudsters to wire money to a bank account controlled by the scam artists.
"They (digital fraudsters) use language that might be specific to the
person or the company they are targeting and then request a fraudulent wire
transfer using dollar amounts that would not be out of the ordinary based
on the customer," explains this United Bank security notice
<https://www.bankatunited.com/security-center/wire-fraud-scams-cybercrime>.
"The cybercriminals use phishing emails and then leverage trusted
relationships between individuals who authorize wire transfers and those
who send them out."

The security article cautions that wire-transfer fraud is not specific to
businesses or organizations that make wire payments; rather, anyone can be
a victim of this type of cybercrime and should take every precaution to
protect against it.
*A lucrative example*

Under the right circumstances, phish-only-captured information may be
enough to allow digital fraudsters to pretend to be a business contracted
by the company under attack. If it's not, attackers will use the scammed
information to access company computers and then steal the appropriate
sensitive financial data. Once the attackers are familiar with how a
company pays bills, who the company pays regularly, and if there are any
outstanding balances due, they can forge a fake invoice with new payment
instructions, including how to transfer money to the scammers' bank account.

It may seem like a lot of effort to make money, but it is successful enough
to get the FBI involved with Operation WireWire. "The operation resulted in
the seizure of nearly $2.4 million and the disruption and recovery of
approximately $14 million in fraudulent wire transfers," according to this June
2018 FBI press release
<https://www.fbi.gov/news/stories/international-bec-takedown-061118>. "The
devastating impacts these cases have on victims and victim companies affect
not only the individual businesses but also the global economy. Since the
Internet Crime Complaint Center (IC3) began formally keeping track of BEC
(Business Email Compromises) and its variant, e-mail account compromise
(EAC), there has been a loss of over $3.7 billion reported to the IC3."
*The impact of fraudulent wire transfers*

Security pundits at Wells Fargo
<https://www.wellsfargo.com/financial-education/basic-finances/manage-money/payments/safety-tips-wire-transfers/>
note that wire transfers are an immediate form of payment; once fraudsters
have obtained the funds, the wire transfer cannot be reversed. The authors
of the United Bank security notice suggest there are other losses besides
monetary ones:

   - The potential for damage to a company's reputation; and
   - The employee time required to repair damage and inform authorities
   about the fraudulent activity.

*Tips on how to prevent wire-transfer fraud*

The authors of the United Bank security notice
<https://www.bankatunited.com/Security-Center/Wire-Fraud-Scams-Cybercrime>
offer the following tips that company personnel should follow to protect
themselves and their employer from becoming victims of fraudulent wire
requests:

   - Confirm email requests from a known party by phone or in-person in
   case their email has been hacked;
   - Be wary of e-mail-only wire transfer requests and requests involving
   urgency;
   - Monitor company bank accounts on a daily basis;
   - Immediately contact the involved banking institution and local police
   if there is any suspicion of wire-transfer fraud; and
   - Check the information included on a wire transfer—one typo could send
   the money to the wrong person or business.

Next are tips specific to businesses:

   - Make sure company policies and procedures regarding wire transfers and
   other banking activity are understood and practiced by employees;
   - Establish an employee-awareness program;
   - Businesses should establish procedures for incoming and outgoing
   payments;
   - If possible, require a second authenticator within your business for
   all wire transfer requests;
   - Make sure your employees know when a scam happens, how it was
   perpetrated, and motivate them to remain vigilant; and
   - Businesses should invest in a detailed review of its IT infrastructure
   and security that is reflective to the size of their respective business.

*Final considerations*

It is important enough to reiterate that wire transfers are an immediate
form of payment; once a scammer has obtained the wired funds, the transfer
*cannot* be reversed, even if the check is fraudulent.

If illegal activity is suspected, besides local law enforcement agencies
and banking institutions, report the matter to the Federal Trade Commission
at the FTC Complaint Assistant
<https://www.ftccomplaintassistant.gov/#crnt&panel1-1> or 1-877-FTC-HELP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181224/8ca8bd85/attachment.html>