By: Connie Krebs and Larry Brown, Blue & Co., LLC
Wire Transfer Fraud is one of the most creative avenues for robbing your bank. It is faceless, quick, and damaging to the bank’s reputation. The act itself will not harm your staff with a standoff, but it can blemish your customer’s trust.
Criminals find it very easy to tap into these sources. They skillfully plan attacks that do not require them to wield a gun or even face their targets, and the amount of money they can obtain is far greater than what they could get robbing a brick and mortar location.
In 2016, businesses across all industries showed a 45% increase in security breaches. The healthcare industry showed a 34.5% increase, while banks and financial institutions only showed a small increase (5%). This is largely because financial institutions are more regulated and have focused on IT controls for many years.
While other industries may be playing catchup, even with this focus and control, financial institutions continue to have significant risks. The following are recent cases to give you an understanding of the intricacies, care, and involvement a criminal will take to rob you or your bank.
ACTUAL CASES AND METHODS (TOP)
Social Engineering and Masquerading, Business Email Compromise (“BEC”)
You have strong passwords and dual control over the wire transfer function, but you permit your customers to initiate wires remotely via telephone, fax, or email without having a written wire transfer agreement that establishes call procedures – including the use of a personal identification code. What is the risk? Huge, when the account is taken over by an unknown third party through hacking of their email accounts.
The hacker calls or emails the bank to get an update on their accounts. Once they obtain the account balances, they will attempt to place a small wire order through the phone, fax, or email to a bank in another city. The hacker will call or email all the branches or employees in your customers email inbox until they find an unsuspecting employee who will accept a wire transfer remotely. The employee will accept it remotely because the person has all the account information or faxed in a wire transfer form with the customer’s signature. After the small wire is conducted successfully, the criminal moves to a larger amount. They will call the same employee or another willing employee to make a larger wire transfer(s). Even though your customer was hacked, the bank will be responsible and will assume the loss.
Keep in mind, call back procedures alone are not sufficient. Call back procedures must be established to require the customer to provide an agreed upon personal identification code before a wire can be initiated by a customer remotely. Call back without a personal identification code is not enough because phones can now be set up to forward calls. Criminals will have the calls forwarded to their phones in order to verify the wire transfer. Insurance will only cover remotely initiated wire transfer frauds if the bank can prove there were adequate customer call back procedures that require the use of a personal identification code or some other method. All of this must typically be documented for the insurance company to cover the claim.
Phishing and Distributed Denial of Service (“DDoS”)
Criminals will obtain control of a large amount of customer and non-customer computers through Facebook and LinkedIn, coupled with phishing emails. The criminals will then use the computers to perform DDoS attack on the bank by using the computers to overwhelm the network by sending large amounts of emails or having all the computers access the bank’s website at the same time. This causes the bank’s internet to work improperly and chaos ensues. The criminal contacts the bank to place a wire transfer during this chaos in order to find an employee who is willing to by-pass controls in order to help serve an upset customer. The criminal will use trial and error to find an employee and use various techniques, from being very upset about the internet and how it is impacting their business to playing on the heartstrings of employees about a family emergency in which funds are needed right away.
The hacker conducted some social engineering and obtained your wire transfer employee’s log in credentials. They also know the employee is out on vacation because they studied their Facebook page. If a single employee can send a wire without another employee approving, or the bank does not utilize tokens for multi-factor identification, the hacker will be able to send wires on the bank’s account.
A similar situation can be found in the real estate industry. Criminals identify the email accounts of real estate agents and brokers they found on social media. They hack directly into the accounts and identify emails that reference pending real estate deals. From these strings of emails, they gather details about the deal, such as the names of the parties, the title company involved, and other pertinent information.
Then they send an email directly to the buyer or lender, making it appear as though it was sent by the real estate agent, mortgage loan officer, or title agency. These emails now direct the buyer or lender to wire the funds necessary to close escrow directly to a different bank account than provided in the preliminary report or in the escrow instructions, one setup by the criminal. The money is immediately withdrawn or transferred to another location.
Another common method for wire transfer fraud, is hacking legitimate vendor invoices. A hacker can infiltrate your vendor’s email or an employee’s email to alter the payment instructions on vendor invoices. The invoice is legitimately for goods and services purchased, but the payment instructions will send the funds to an account controlled by the hacker instead of the vendor.
PREVENTION AT BANK LEVEL (TOP)
The following are some recommendations for you to consider to mitigate the risk of wire transfer fraud:
PREVENTION AT BANK CUSTOMER LEVEL (TOP)
At Blue & Co., LLC, we are available to review your wire transfer setup, user control, or any other area you are concerned about your control environment. If you have questions about this article or would like to talk, please contact Connie Krebs at firstname.lastname@example.org or 513-834-6896.