One of the most popular areas for payments fraud is wiretransfers. That's partly because criminals have limitless optionsfor perpetrating wire fraud. There are many combinations offraudulent approaches, and various points of compromise—such asmalware transferred from a vendor to a customer, an email misleading an employee, or a call from the CEOrequesting a transfer of funds—all can result in a wire initiationthat transfers funds fraudulently to criminals.

The result can be hugely damaging to the company that thefraudster targets. One recent example occurred when a U.S.-basedescrow firm transmitted fraudulent wire payments to accounts inChina and Russia totaling more than $1 million between December2012 and February 2013. Less than a third of the lost funds wererecovered, and the escrow firm was forced out of business.

Even when a wire fraud scheme doesn't result in significantmonetary losses immediately, the ripple effects can be serious.Costs incurred after a fraudulent wire transfer can includeinvestigation of the crime, remediation for the account holder whosuffered the loss, and litigation. There are also intangible costssuch as eroded brand and reputational value, which can result incustomer attrition—customers or account holders may cut ties withcompanies they do not trust to adequately protect their assets.

Companies of all sizes around the world are being targeted inwire fraud schemes, whose continued evolution is fueled by rapidtechnological changes along with the more traditional old-schoolsocial engineering. The most common tools in a wire fraudster'stoolkit include:

Phishing. Phishing is a commontactic for obtaining the personal information needed to compromiseaccounts, such as account names and passwords. A phisher willtypically email employees at a particular company, purporting to befrom a legitimate source and asking for information. This mightentail the phisher requesting that an individual in an organizationprovide the email address of the CEO so that he or she can mailthem a report. Or the phisher might request an email address ofsomeone else in the organization to learn the construct of aspecific email address so that it can be spoofed.

The concept of phishing can be applied over other technologiesas well. For example, “vishing” is voicemail phishing and“SMishing” is phishing via SMS text messages on a smartphone. Overtime, individuals and companies have become more aware of thesetechniques, which has diminished their success. Phishing emails areusually sent to thousands of email recipients at once in order tocast a wide net for potential victims. And like any good scammer,most phishers are always on the lookout for more sophisticatedtools and techniques.

Spear phishing. Amore sophisticated tactic for perpetrating wire fraud is spearphishing, or what the FBI has termed “business email compromise.”It is a tactic in which the fraudster sends an email that appearsto be from a trusted source in an attempt to elicit certain actionsfrom the email's recipient. Often, a targeted email will requestthat finance staff or executives process a wire transfer to anexternal bank in order to make an urgentpayment, such as paying an overdue invoice. The amount of therequest is purposely chosen to mimic the company's normal businesstransactions. The tailored approach and urgency often combine toconvince employees to bypass or override internal controls orignore typical procedures.

Social engineering. Social engineering enables afraudster to obtain the information needed to make spear phishingmessages appear legitimate. Fraudsters use information postedonline to gather in-depth knowledge and credentials on prospectivevictims. For example, fraudsters will visit the company websites toobtain information about leadership, including phone numbers andemail addresses.

LinkedIn provides a treasuretrove of information. In fact, the growth in popularity of socialmedia has provided attackers with a plethora of easily accessibleinformation on an individual's job, family, and personal life.Criminals will also use social media sites to gather in-depthknowledge on the targeted company, including but not limited to:chains of command, vendor partners with whom the target companylikely transacts business, and company vocabulary/jargon.

Social media and corporate filings are just two areas thatprovide information to enable phishers to create a solid profile ofthe chain of command in an organization. This information can thenbe used to run a relatively inexpensive background check on anindividual. Theresearch helps the criminals to determine the best targetrecipient, as wire fraud requires the help of an employee withaccess to sensitive data or the authority to transfer companyfunds.

Email compromise. To legitimize theappearance of a fraudulent email, scammers may use a domain namethat is similar to that of the real source—for example,[email protected] if an executive's legitimateemail is [email protected]. More sophisticatedfraudsters may instead be able to hack into the company's actualdomain and send fake payment requests from a legitimate internalaccount.

Using an internal account, a fraudster might email a wirerequest to another employee in the company. Alternatively, thefraudster might send an email directly to a financial institutionwith urgent instructions for a wire transfer. Emails used in theseattacks, commonly referred to as “CEO fraud,” “business executivescams,” or “masquerading,” will not be caught by automated spamfilters because they come from an internal source. And sometimesthe emails are followed up with a phone call purporting to be fromthe originator of the fake email, providing further pressure toinitiate a wire transfer. The scenarios are endless, limited byonly the imaginations of prospective perpetrators of the fraud.

|

How a Company May Be Facilitating Fraud

Wire fraud schemes often succeed because of vulnerabilitieswithin the targeted company. Poor authentication systems orsecurity controls are ripe for exploitation. Insufficientmonitoring of wire transfer behavior (e.g., review of network logs)can allow suspicious and fraudulent activity to go unnoticed, whileoutdated cybercrime response procedures can hinder the company'sability to react quickly enough to stop a fraudulent outgoingwire.

A dual-approval payments process may reduce risk, but in manycompanies it's perfunctory, with one employee simplyrubber-stamping the actions of the other, which renders the dualapprovals ineffective. And top-down organizations with ahigh-pressure internal environment face an increased chance ofbeing victimized. Employees who fear upsetting management are lesslikely to question suspicious activity.

In addition, companies that publicly disclose information aboutthe C-suite, about members of the treasury function, or about theirorganizational structure provide fraudsters a map of who to target.Listing email addresses on a company website can clue a scammer into the naming convention of corporate addresses, which he or shecan use to guess the email address of almost any employee in thecompany.

The largest vulnerability, however, lies in a lack of trainingemployees how to shut down social engineering/spear phishingschemes. These attacks take advantage of human vulnerabilities, andemployees who are unaware of the latest fraud schemes may not beable to spot the red flags for suspicious behavior. Any stakeholderwho does not understand the dangers that these types of threatspose may be subject to such an attack.

|

How to Protect Your Organization

There is no silver bullet, and risk mitigation starts withassessing the company's current vulnerabilities. In addition toeducating employees about characteristics of payment requeststhat should raise red flags, companies can take the following stepsto reduce their risk of wire fraud:

Establish social media protocols. Companies should develop and enforce a strong policyprohibiting employees from revealing classified or proprietarybusiness information on social media. Informationthat should be off-limits includes details on corporatefunctions, organization, and infrastructure. The company shouldattempt to control the flow of any information that might enable athird party to put together a decent profile of whom to target forpayments fraud in the organization. In today's environment, that isnot always feasible, but the question needs to be asked: What isthe benefit of providing this information in a certain context, anddoes the benefit outweigh the risk? Corporate policy should alsoclarify the employee's obligations concerning online publication ofcompany information.

In theory, controlling what information is made public,particularly on social media sites, can make it much more difficultfor hackers to obtain the information they need to perpetrate aspear phishing attack. But, in reality, many public companies findit difficult to fully control the flow of corporate information dueto all of the disclosures that are required of them.

Mandate the use of checks and balances. To combat wire fraud, treasury and financefunctions should implement a system of checks and balances formanaging requests of sensitive corporate information and forhandling urgent wire transfers. Staff should understand thatregardless of the perceived urgency of a request, they cannotcircumvent the company's defined procedures.

Policies should require employees to validate paymentrequests—in a way that is not perfunctory in nature—with trustedcontacts in accounting before authorizing any transfer of funds.Likewise, changes topayment recipients' banking information should requireindependent verification and authentication.

Perform a risk assessment. By conducting a formal assessment of whereit faces the most payments-fraud risk, a company can focus itsfraud-prevention efforts on the areas that require the highestlevel of scrutiny. It can also educate employees about the areas ofthe business in which suspicious activity is most likely tooccur.

Fraudsters are able to mimic some aspects of a legitimatetransaction, such as computer location by way of an IP address, butthey cannot mimic all aspects of normal behavior. Some examples ofbehavioral monitoring include account and IP profiling, comparisonwith past transactions based on size and destination, and review ofthe timing of transactions—i.e., normal course of business vs.expedited. An organization should set the parameters of “normal” tomatch its specific needs.

Guardian Analytics stresses the benefits of using abehavior-based approach versus a rules-based approach. Behavioralanalytics examine the behavior of both a payment's originator andits beneficiary to detect abnormal activity, allowing greaterflexibility and adaptability compared with using a rules engine toflag suspicious activity. For instance, if a wire transfer that isinitiated falls outside the parameters of the normal activity ofthe initiator—or the recipient—then it would be flagged aspotentially problematic. The company does need to maintain adatabase of historical transactions so that out-of-the-ordinarytransactions can be identified.

Focus on IT governance. Regularlyupdating technology systems is critical to deter hackers fromexploiting known vulnerabilities. There are anti-phishingtechnologies available that can help filter out some of the moregeneric attacks. Automated mail scanners can also be used to blockand remove emails from known malicious email addresses.

Choosing the right technology for the corporate infrastructureis also important. The FBI reports thatbusinesses using open-source email systems are most often targeted.Special tools for authentication add a level of difficulty forhackers. Physical and software verification tokens can introduce additional validation stepsbefore an individual can access sensitive information. Secure emailplatforms and websites are also options for creating additionalverification steps when transmitting certain information.

Employ appropriate response, reporting,and remediation processes. While it isimportant to implement proactive measures to prevent the initiationof fraudulent payments, it is equally important for companies tohave robust reactive measures in place. The company's riskassessment should go hand-in-hand with a strong monitoring programdesigned to identify unusual behavior. And employees should befamiliar with procedures to report suspicious activity. Managementshould encourage transparency and provide incentives to employeesto share information.

Beyond internal reporting, the FBI also stresses the importance of reporting incidents tolocal, state, and/or federal authorities. The joint effort againstcyber criminals can help companies recover losses and pursue legalaction. For purposes of further investigation, companies shouldretain all original documentation, emails, faxes, and logs oftelecommunications.

Once a crime has been disclosed, the company should put in placean external and internal communications strategy to deter andrespond to negative press coverage, as well as provide assurance toboth employees and clients about continuing business operations.Falling victim to fraud inevitably leads to a loss of confidence inthe company, but dealing with the issue swiftly and effectively canhelp retain integrity and win back trust.

|

Beef up Finance Protections

As business technologies evolve rapidly, fraudsters are takingadvantage of companies that are slow to adapt. And as attacks onexecutives and staff in the treasury function become moreprevalent, companies must adopt strong training programs andresilient policies to prevent the fraudulent transfer of funds. Allemployees need to understand why it's important to follow protocoland to resist the temptation to override controls for the sake ofurgency.

By establishing both proactive and reactive measures for dealingwith wire frauds, companies can avoid becoming the next bigheadline. Remember, fraudsters are targeting your finance functionbecause that is where the money is. That's the best reason you haveto protect it.

See also:

• Impostor Fraud: A Cyber Risk ManagementChallenge
• Wire Transfer Fraud Picks Up

Ronald Plesco is an advisory principal andthe national lead of the KPMG LLP Cyber Investigations,Intelligence, and Analytics practice. He is an internationallyknown information security and privacy attorney with 17 years'experience in cyber investigations, information assurance, privacy,identity management, computer crime, and emerging cyber threats andtechnology solutions. Prior to joining KPMG, Plesco was the CEO ofthe National Cyber Forensics and Training Alliance (NCFTA), wherehe managed the development of intelligence that led to over 400worldwide cybercrime arrests in four years and prevented over $2billion in fraud.

Guido van Drunen is a principal in theKPMG LLP Forensic Advisory Services. He has more than 30 years'experience providing forensic/investigative accounting, securityand investigative services, and other financial advisory servicesto clients. He has worked in law enforcement in two countries andin the private sector, where he created and ran a specialinvestigations unit for a Fortune 50 company, among otherventures.

Nicholas Campbell, manager in KPMG LLPForensic Advisory Services, and AndraMarcoci, associate in KPMG LLP Forensic AdvisoryServices, contributed to this article.