By: Connie Krebs and Larry Brown, Blue & Co., LLC
Wire Transfer Fraud is one of the most creative avenues for robbing your bank. It is faceless, quick, and damaging to the bank’s reputation. The act itself will not harm your staff with a standoff, but it can blemish your customer’s trust.
Criminals find it very easy to tap into these sources. They skillfully plan attacks that do not require them to wield a gun or even face their targets, and the amount of money they can obtain is far greater than what they could get robbing a brick and mortar location.
In 2016, businesses across all industries showed a 45% increase in security breaches. The healthcare industry showed a 34.5% increase, while banks and financial institutions only showed a small increase (5%). This is largely because financial institutions are more regulated and have focused on IT controls for many years.
While other industries may be playing catchup, even with this focus and control, financial institutions continue to have significant risks. The following are recent cases to give you an understanding of the intricacies, care, and involvement a criminal will take to rob you or your bank.
ACTUAL CASES AND METHODS
Social Engineering and Masquerading, Business Email Compromise (“BEC”)
You have strong passwords and dual control over the wire transfer function, but you permit your customers to initiate wires remotely via telephone, fax, or email without having a written wire transfer agreement that establishes call procedures – including the use of a personal identification code. What is the risk? Huge, when the account is taken over by an unknown third party through hacking of their email accounts.
The hacker calls or emails the bank to get an update on their accounts. Once they obtain the account balances, they will attempt to place a small wire order through the phone, fax, or email to a bank in another city. The hacker will call or email all the branches or employees in your customers’ email inbox until they find an unsuspecting employee who will accept a wire transfer remotely. The employee will accept it remotely because the person has all the account information or faxed in a wire transfer form with the customer’s signature. After the small wire is conducted successfully, the criminal moves to a larger amount. They will call the same employee or another willing employee to make a larger wire transfer(s). Even though your customer was hacked, the bank will be responsible and will assume the loss.
Keep in mind, call back procedures alone are not sufficient. Call back procedures must be established to require the customer to provide an agreed upon personal identification code before a wire can be initiated by a customer remotely. Call back without a personal identification code is not enough because phones can now be set up to forward calls. Criminals will have the calls forwarded to their phones in order to verify the wire transfer. Insurance will only cover remotely initiated wire transfer frauds if the bank can prove there were adequate customer call back procedures that require the use of a personal identification code or some other method. All of this must typically be documented for the insurance company to cover the claim.
Phishing and Distributed Denial of Service (“DDoS”)
Criminals will obtain control of a large amount of customer and non-customer computers through Facebook and LinkedIn, coupled with phishing emails. The criminals will then use the computers to perform DDoS attack on the bank by using the computers to overwhelm the network by sending large amounts of emails or having all the computers access the bank’s website at the same time. This causes the bank’s internet to work improperly and chaos ensues. The criminal contacts the bank to place a wire transfer during this chaos in order to find an employee who is willing to by-pass controls in order to help serve an upset customer. The criminal will use trial and error to find an employee and use various techniques, from being very upset about the internet and how it is impacting their business to playing on the heartstrings of employees about a family emergency in which funds are needed right away.
The hacker conducted some social engineering and obtained your wire transfer employee’s log in credentials. They also know the employee is out on vacation because they studied their Facebook page. If a single employee can send a wire without another employee approving, or the bank does not utilize tokens for multi-factor identification, the hacker will be able to send wires on the bank’s account.
A similar situation can be found in the real estate industry. Criminals identify the email accounts of real estate agents and brokers they found on social media. They hack directly into the accounts and identify emails that reference pending real estate deals. From these strings of emails, they gather details about the deal, such as the names of the parties, the title company involved, and other pertinent information.
Then they send an email directly to the buyer or lender, making it appear as though it was sent by the real estate agent, mortgage loan officer, or title agency. These emails now direct the buyer or lender to wire the funds necessary to close escrow directly to a different bank account than provided in the preliminary report or in the escrow instructions, one setup by the criminal. The money is immediately withdrawn or transferred to another location.
Another common method for wire transfer fraud is hacking legitimate vendor invoices. A hacker can infiltrate your vendor’s email or an employee’s email to alter the payment instructions on vendor invoices. The invoice is legitimately for goods and services purchased, but the payment instructions will send the funds to an account controlled by the hacker instead of the vendor.
PREVENTION AT BANK LEVEL
The following are some recommendations for you to consider to mitigate the risk of wire transfer fraud:
- The first step in detecting customer takeover by a third person is to understand your customer’s electronic funds and wire transfer needs. Work with customers who request electronic transfers, ACH, RDC or wire transfers to know their patterns, expectations, and financial abilities. If a wire is requested to be sent, first and foremost conduct due diligence on review of the account information, risk ratings, or credit file. This should be on your central information file, easily viewable by the wire department or officer.
- Is the wire out of the ordinary pattern of the customer?
- Is the wire to a third party unknown to the bank or its customer?
- Does the customer do foreign wires?
- Implement appropriate authorization for wire transfers.
- Establish wire transfer limits on each employee involved in wire transfers.
- Ensure that two employees are required to send a wire with one employee initiating the wire and another employee reviewing and approving the release of the funds.
- Originating wires should be made through a bank using randomly generated passcodes that are automated with tokens. This keeps social engineering from being successful.
- Establish wire transfer agreements for all customers who wish to make wire transfers remotely. The agreements should establish call back procedures and security codes.
- Train all bank staff regarding social engineering and what to do if a compromise occurred.
- Remind employees that bank policies cannot be circumvented to provide customer service.
- Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited e-mails. Alert them to think before they click.
- Follow up with immediate notification by text or email to the customer regarding items processed as abundance of caution stating that if they did not originate those items to contact the bank immediately.
- Banks should invest in software or develop reports to monitor accounts for certain activity on a wholesale basis and set parameters in house to compare with noted or routine transactions.
- Beware of money mule accounts. New accounts or old accounts with new international wires and other wires conducted frequently.
- Do not allow employees to access personal or work e-mails on the same computers used to initiate payments.
- Do not allow employees to access the Internet freely on the same computers used to initiate payments.
- Do not allow employees to access administrative accounts from home computers or laptops connected to home networks.
- Ensure employees do not leave USB tokens in computers used to connect to payment systems. Also, ensure that the tokens are secured properly if the employee is away from their desk.
- Monitor employee logins that occur outside of normal business hours.
- Consider implementing time-of-day login restrictions for the employee accounts with access to payment systems.
- Restrict wire transfer system administrator capabilities to a person without wire transfer duties.
PREVENTION AT BANK CUSTOMER LEVEL
- Establish dual control if placing wire transfers, ACH or RDC. Have one person originate with the bank and a call back to another person.
- Establish a separate machine to transmit that is not connected or used for email, or be sure to use a secure machine which is monitored and passcodes are not saved.
- Let the bank know your company’s routine and other transactions that are to be expected.
- Use distinct passwords that you do not use on other accounts.
- Do not share passwords.
- Beware of social engineering and notify the bank, insurance company, and law enforcement if compromised.
At Blue & Co., we are available to review your wire transfer setup, user control, or any other area you are concerned about your control environment. If you have questions about this article or would like to talk, please contact us.