One of the most popular areas for payments fraud is wire transfers. That’s partly because criminals have limitless options for perpetrating wire fraud. There are many combinations of fraudulent approaches, and various points of compromise—such as malware transferred from a vendor to a customer, an email misleading an employee, or a call from the CEO requesting a transfer of funds—all can result in a wire initiation that transfers funds fraudulently to criminals.
The result can be hugely damaging to the company that the fraudster targets. One recent example occurred when a U.S.-based escrow firm transmitted fraudulent wire payments to accounts in China and Russia totaling more than $1 million between December 2012 and February 2013. Less than a third of the lost funds were recovered, and the escrow firm was forced out of business.
Even when a wire fraud scheme doesn’t result in significant monetary losses immediately, the ripple effects can be serious. Costs incurred after a fraudulent wire transfer can include investigation of the crime, remediation for the account holder who suffered the loss, and litigation. There are also intangible costs such as eroded brand and reputational value, which can result in customer attrition—customers or account holders may cut ties with companies they do not trust to adequately protect their assets.
Companies of all sizes around the world are being targeted in wire fraud schemes, whose continued evolution is fueled by rapid technological changes along with the more traditional old-school social engineering. The most common tools in a wire fraudster’s toolkit include:
Phishing. Phishing is a common tactic for obtaining the personal information needed to compromise accounts, such as account names and passwords. A phisher will typically email employees at a particular company, purporting to be from a legitimate source and asking for information. This might entail the phisher requesting that an individual in an organization provide the email address of the CEO so that he or she can mail them a report. Or the phisher might request an email address of someone else in the organization to learn the construct of a specific email address so that it can be spoofed.
The concept of phishing can be applied over other technologies as well. For example, “vishing” is voicemail phishing and “SMishing” is phishing via SMS text messages on a smartphone. Over time, individuals and companies have become more aware of these techniques, which has diminished their success. Phishing emails are usually sent to thousands of email recipients at once in order to cast a wide net for potential victims. And like any good scammer, most phishers are always on the lookout for more sophisticated tools and techniques.
Spear phishing. A more sophisticated tactic for perpetrating wire fraud is spear phishing, or what the FBI has termed “business email compromise.” It is a tactic in which the fraudster sends an email that appears to be from a trusted source in an attempt to elicit certain actions from the email’s recipient. Often, a targeted email will request that finance staff or executives process a wire transfer to an external bank in order to make an urgent payment, such as paying an overdue invoice. The amount of the request is purposely chosen to mimic the company’s normal business transactions. The tailored approach and urgency often combine to convince employees to bypass or override internal controls or ignore typical procedures.
Social engineering. Social engineering enables a fraudster to obtain the information needed to make spear phishing messages appear legitimate. Fraudsters use information posted online to gather in-depth knowledge and credentials on prospective victims. For example, fraudsters will visit the company websites to obtain information about leadership, including phone numbers and email addresses.
LinkedIn provides a treasure trove of information. In fact, the growth in popularity of social media has provided attackers with a plethora of easily accessible information on an individual’s job, family, and personal life. Criminals will also use social media sites to gather in-depth knowledge on the targeted company, including but not limited to: chains of command, vendor partners with whom the target company likely transacts business, and company vocabulary/jargon.
Social media and corporate filings are just two areas that provide information to enable phishers to create a solid profile of the chain of command in an organization. This information can then be used to run a relatively inexpensive background check on an individual. The research helps the criminals to determine the best target recipient, as wire fraud requires the help of an employee with access to sensitive data or the authority to transfer company funds.
Email compromise. To legitimize the appearance of a fraudulent email, scammers may use a domain name that is similar to that of the real source—for example, johndoeCFO@abcccompany.com if an executive’s legitimate email is johndoeCFO@abccompany.com. More sophisticated fraudsters may instead be able to hack into the company’s actual domain and send fake payment requests from a legitimate internal account.
Using an internal account, a fraudster might email a wire request to another employee in the company. Alternatively, the fraudster might send an email directly to a financial institution with urgent instructions for a wire transfer. Emails used in these attacks, commonly referred to as “CEO fraud,” “business executive scams,” or “masquerading,” will not be caught by automated spam filters because they come from an internal source. And sometimes the emails are followed up with a phone call purporting to be from the originator of the fake email, providing further pressure to initiate a wire transfer. The scenarios are endless, limited by only the imaginations of prospective perpetrators of the fraud.
How a Company May Be Facilitating Fraud
Wire fraud schemes often succeed because of vulnerabilities within the targeted company. Poor authentication systems or security controls are ripe for exploitation. Insufficient monitoring of wire transfer behavior (e.g., review of network logs) can allow suspicious and fraudulent activity to go unnoticed, while outdated cybercrime response procedures can hinder the company’s ability to react quickly enough to stop a fraudulent outgoing wire.
A dual-approval payments process may reduce risk, but in many companies it’s perfunctory, with one employee simply rubber-stamping the actions of the other, which renders the dual approvals ineffective. And top-down organizations with a high-pressure internal environment face an increased chance of being victimized. Employees who fear upsetting management are less likely to question suspicious activity.
In addition, companies that publicly disclose information about the C-suite, about members of the treasury function, or about their organizational structure provide fraudsters a map of who to target. Listing email addresses on a company website can clue a scammer in to the naming convention of corporate addresses, which he or she can use to guess the email address of almost any employee in the company.
The largest vulnerability, however, lies in a lack of training employees how to shut down social engineering/spear phishing schemes. These attacks take advantage of human vulnerabilities, and employees who are unaware of the latest fraud schemes may not be able to spot the red flags for suspicious behavior. Any stakeholder who does not understand the dangers that these types of threats pose may be subject to such an attack.
How to Protect Your Organization
There is no silver bullet, and risk mitigation starts with assessing the company’s current vulnerabilities. In addition to educating employees about characteristics of payment requests that should raise red flags, companies can take the following steps to reduce their risk of wire fraud:
Establish social media protocols. Companies should develop and enforce a strong policy prohibiting employees from revealing classified or proprietary business information on social media. Information that should be off-limits includes details on corporate functions, organization, and infrastructure. The company should attempt to control the flow of any information that might enable a third party to put together a decent profile of whom to target for payments fraud in the organization. In today’s environment, that is not always feasible, but the question needs to be asked: What is the benefit of providing this information in a certain context, and does the benefit outweigh the risk? Corporate policy should also clarify the employee’s obligations concerning online publication of company information.
In theory, controlling what information is made public, particularly on social media sites, can make it much more difficult for hackers to obtain the information they need to perpetrate a spear phishing attack. But, in reality, many public companies find it difficult to fully control the flow of corporate information due to all of the disclosures that are required of them.
Mandate the use of checks and balances. To combat wire fraud, treasury and finance functions should implement a system of checks and balances for managing requests of sensitive corporate information and for handling urgent wire transfers. Staff should understand that regardless of the perceived urgency of a request, they cannot circumvent the company’s defined procedures.
Policies should require employees to validate payment requests—in a way that is not perfunctory in nature—with trusted contacts in accounting before authorizing any transfer of funds. Likewise, changes to payment recipients’ banking information should require independent verification and authentication.
Perform a risk assessment. By conducting a formal assessment of where it faces the most payments-fraud risk, a company can focus its fraud-prevention efforts on the areas that require the highest level of scrutiny. It can also educate employees about the areas of the business in which suspicious activity is most likely to occur.
Fraudsters are able to mimic some aspects of a legitimate transaction, such as computer location by way of an IP address, but they cannot mimic all aspects of normal behavior. Some examples of behavioral monitoring include account and IP profiling, comparison with past transactions based on size and destination, and review of the timing of transactions—i.e., normal course of business vs. expedited. An organization should set the parameters of “normal” to match its specific needs.
Guardian Analytics stresses the benefits of using a behavior-based approach versus a rules-based approach. Behavioral analytics examine the behavior of both a payment’s originator and its beneficiary to detect abnormal activity, allowing greater flexibility and adaptability compared with using a rules engine to flag suspicious activity. For instance, if a wire transfer that is initiated falls outside the parameters of the normal activity of the initiator—or the recipient—then it would be flagged as potentially problematic. The company does need to maintain a database of historical transactions so that out-of-the-ordinary transactions can be identified.
Focus on IT governance. Regularly updating technology systems is critical to deter hackers from exploiting known vulnerabilities. There are anti-phishing technologies available that can help filter out some of the more generic attacks. Automated mail scanners can also be used to block and remove emails from known malicious email addresses.
Choosing the right technology for the corporate infrastructure is also important. The FBI reports that businesses using open-source email systems are most often targeted. Special tools for authentication add a level of difficulty for hackers. Physical and software verification tokens can introduce additional validation steps before an individual can access sensitive information. Secure email platforms and websites are also options for creating additional verification steps when transmitting certain information.
Employ appropriate response, reporting, and remediation processes. While it is important to implement proactive measures to prevent the initiation of fraudulent payments, it is equally important for companies to have robust reactive measures in place. The company’s risk assessment should go hand-in-hand with a strong monitoring program designed to identify unusual behavior. And employees should be familiar with procedures to report suspicious activity. Management should encourage transparency and provide incentives to employees to share information.
Beyond internal reporting, the FBI also stresses the importance of reporting incidents to local, state, and/or federal authorities. The joint effort against cyber criminals can help companies recover losses and pursue legal action. For purposes of further investigation, companies should retain all original documentation, emails, faxes, and logs of telecommunications.
Once a crime has been disclosed, the company should put in place an external and internal communications strategy to deter and respond to negative press coverage, as well as provide assurance to both employees and clients about continuing business operations. Falling victim to fraud inevitably leads to a loss of confidence in the company, but dealing with the issue swiftly and effectively can help retain integrity and win back trust.
Beef up Finance Protections
As business technologies evolve rapidly, fraudsters are taking advantage of companies that are slow to adapt. And as attacks on executives and staff in the treasury function become more prevalent, companies must adopt strong training programs and resilient policies to prevent the fraudulent transfer of funds. All employees need to understand why it’s important to follow protocol and to resist the temptation to override controls for the sake of urgency.
By establishing both proactive and reactive measures for dealing with wire frauds, companies can avoid becoming the next big headline. Remember, fraudsters are targeting your finance function because that is where the money is. That’s the best reason you have to protect it.
Ronald Plesco is an advisory principal and the national lead of the KPMG LLP Cyber Investigations, Intelligence, and Analytics practice. He is an internationally known information security and privacy attorney with 17 years’ experience in cyber investigations, information assurance, privacy, identity management, computer crime, and emerging cyber threats and technology solutions. Prior to joining KPMG, Plesco was the CEO of the National Cyber Forensics and Training Alliance (NCFTA), where he managed the development of intelligence that led to over 400 worldwide cybercrime arrests in four years and prevented over $2 billion in fraud.
Guido van Drunen is a principal in the KPMG LLP Forensic Advisory Services. He has more than 30 years’ experience providing forensic/investigative accounting, security and investigative services, and other financial advisory services to clients. He has worked in law enforcement in two countries and in the private sector, where he created and ran a special investigations unit for a Fortune 50 company, among other ventures.
Nicholas Campbell, manager in KPMG LLP Forensic Advisory Services, and Andra Marcoci, associate in KPMG LLP Forensic Advisory Services, contributed to this article.