Risk Bulletin: Social Engineering Wire Transfer Scams Affecting U.S. Companies
COMPANIES WHO SEND MONEY BY WIRE TRANSFER MUST BE AWARE OF SCAMS
Businesses that wire-transfer money to vendor or corporate bank accounts or on behalf of clients and customers should be aware of scams impacting even the best-managed companies. These wire-transfer scams are intentionally misleading unsuspecting employees into sending money or diverting payments to fraudsters who are impersonating vendors, clients, customers and even senior executives or business owners.
To help businesses manage these risks, The Hanover created False Pretense Coverage — an insurance solution providing protection from a wide variety of social engineering scams.
Identifying Risks and Frauds
Commonly referred to as social engineering scams, these frauds trick employees with fake information received by email, text, instant message, telephone calls or other electronic communications. The information and request to transfer funds will appear to be legitimate, but will have actually been sent by imposters intending to steal the company’s money.
Here are some typical scams and strategies to avoid them:
Business Email Compromise
This popular scam begins with a fraudulent email sent from someone pretending to be the company’s vendor, customer, or client — or someone posing as an owner, senior executive, or employee. The email will request a transfer of funds and will trick the company employee into wiring funds to a specific bank account under the control of the fraudster.
The Purported Vendor Scheme
In scams involving purported vendors, the criminal assumes the identity of a company vendor and uses an email that appears to be legitimate — often from a compromised email account or by using a similar but slightly altered domain name. The email will be sent to an employee who the fraudster knows is in a position to transfer money. The email identifies themselves as a valid vendor the company partners with, and advises the employee that they have changed bank accounts and to send the next few payments to the new bank. The email will look authentic and may include the vendor’s logo or an attached letter with the vendor’s letterhead. In cases where the perpetrator may have previously breached the company’s computer network, the email may even point to a few valid transactions between the company and vendor. The employee,
without authenticating or validating the request, will proceed with wire transferring the money to the requested bank. As soon as the money is received by the new bank, the funds are quickly transferred out to an overseas bank well before the company realizes they have been scammed, which usually occurs when the real vendor begins asking for the overdue payment.
The Purported Business Owner/ Sr. Executive Scheme
In this type of scam, the perpetrators will identify themselves within an email as the company owner or senior executive, and will state that they need a transfer made to the bank account identified in the email as soon as possible — common reasons include “to fund a recent acquisition” or for “tax purposes.” The email will target an employee, or even another senior executive, who is in a position to transfer money. The email will have a sense of urgency to it. In some cases, the email will state that there will be a follow up call shortly from an attorney who will provide all of the transaction details and banking information. Shortly thereafter, the call will come in to the employee from the purported attorney. The employee will proceed to wire transfer the money to the requested bank without authenticating the request. The money is then quickly transferred by the fraudster to an overseas bank well before the company realizes they have been scammed.
As these types of scams evolve and become more complex, companies should make it a priority to include fraud prevention as a part of their regular business practice processes, utilizing authentication practices, third-party testing when possible, and following all applicable cyber security standards.
What To Do If Faced With A False Pretense/ Social Engineering Wire Fraud Scam
When a company realizes it is the victim of a wire transfer fraud scam, it is important to act immediately and call the financial institutions involved in the transaction. The local police and the FBI should also be contacted. Companies can submit all relevant information to the Internet Crime Complaint Center (IC3) at www.ic3.gov
Avoiding and Managing the Risks
When it comes to avoiding false pretense and social engineering scams, the best defense is employee awareness. The weakest link in the security chain is the employee who accepts a scenario at face value and doesn’t check its legitimacy. That’s why it is imperative to provide anti-fraud training that includes educating employees on how to recognize and prevent these types of scams.
• Teach employees to never click on embedded links in suspicious or “out of the ordinary” emails
– These links could attach malware that will steal information to be used by the criminal to execute the scheme, or to infect company computer systems
• Instruct employees (especially those in a position to transfer funds) to never change vendor account information without verifying the change with a telephone call back to the vendor
– Make sure the call back number used is a number already on file and don’t use a number provided within the change request to make the call back
• Be wary of last minute changes in business practices
– Business owners should stress to their employees that they will never deviate from normal transfer protocol by calling or emailing an employee with an urgent request to transfer funds outside of documented procedures
• Have a written policy outlining what is considered confidential, sensitive or proprietary information that should never be released without approval or authorization
• Validate funds transfer and payment requests from vendors and clients with a “call back” procedure to an individual authorized to make such requests and to a previously established number
• Validate all internal employee requests to transfer funds
• Limit wire-transfer authority to specific employees and require next level supervisor sign off on any changes to vendor and client information and for all “internally” requested wire transfers
• Be suspicious when someone refuses to provide contact information
• Never let the urgency of the message, intimidation or high-pressure tactics influence your careful review and assessment
• Develop reporting and tracking programs that document attempts of social engineering/false pretense fraud
• Review your intrusion detection system (IDS) rules to flag emails with extensions that are similar to your company’s email
• Identify which employees have access to bank account information, or have authority to make payments or transfer funds — they are many times a primary target
• Consult with computer safety and information technology experts, and
– Use cyber security software and keep it up to date
– Secure Wi-Fi networks and use mobile device security procedures
– Use 2 factor authentication to make it difficult for hackers to enter business computer platform(s)
– Conduct 3rd party penetration testing to monitor the success of your prevention techniques
• Randomly test employees with company created fictitious emails and/or phony phone calls