Payment fraud: Would you be fooled?
We all like to believe we wouldn’t be taken in by a fraudster – but for a growing number of companies cyber attacks are a fact of life. Believing that employees won’t be tricked by a cybercriminal is a dangerous assumption when the stakes are so high: Including substantial financial loss, attacks of this nature can result in serious or even irreparable damage to the reputation of a company. All it takes is for one person to make an unauthorized payment which they believe a senior member of the organization has requested.
According to data from the FBI’s Internet Crime Complaint Center (IC3), over 2,000 companies fell victim to a particular type of scam called the Business Email Compromise (BEC) between October 2013 and December 2014. The total dollar loss was almost $215 million.
Despite the scale of the threat, many companies are unprepared for the possibility that they will fall victim to an attack. “In a recent survey that asked corporate clients how they plan to deal with cyber activity, a surprising 43% indicated that they currently have no formalized plan in place,” comments Cindy Murray, head of Global Treasury Product Platforms and Digital Channels at Bank of America Merrill Lynch. “That’s an alarming percentage and a call to action.”
Cybercriminals use a number of different schemes and techniques to defraud their victims. Often these schemes will include a phishing component, whereby employees are persuaded to click on a link or attachment. As a result, malware is downloaded onto the computer enabling the cybercriminal to gain access to everything from user credentials to emails.
Phishing can be used to steal information which can support other types of attacks, such as spoofing, whereby emails are sent from a false address, or masquerading, where an email is sent purporting to be from a senior executive within the company.
In this type of attack, scammers look at recent events in the news or upcoming acquisitions – any type of corporate activity which may be subject to secrecy and confidentiality, as well as being urgent. The scammer then poses as a senior executive, masquerading as the CEO or CFO of the company. Due to ‘legal reasons’, the fraudster instructs the person they are contacting to keep the instruction and information quiet. The ideal victim is an individual who doesn’t want to appear inept to the senior executive, and who transacts the instruction to seem competent and worthy of the responsibility.
Even requests that may require involvement from multiple departments to perform can be executed if a scammer successfully impersonates the appropriate trading partner or executive to one individual within the company. The internal email trail then moves through the organization from the legitimate employee, who gives instructions to other departments or associates. They, in turn, assume that the proper authentication and protocols have been followed and process the requested instruction.
There are a number of measures that companies can put in place to reduce the risk of payment fraud. Employees need to be instructed to notify their Information Technology (IT) and Information Security departments if suspicious emails are coming in. They should not just ignore the emails. IT should be regarded as the first line of defense and can put in place filters to block these email addresses which are known or suspected to be fraudulent. Too many times, employees ignore or delete an email that another employee may reply to or click on a link that downloads malware into their PC.
Fraudsters are becoming ever more sophisticated in the lengths they are going to make their messages sound authentic, and to time them effectively. In a recent attack, an email purporting to be from the CEO was sent at a time when the CEO was out of the office – and not readily available to confirm the accuracy of the request.
Fraudsters often have a wealth of information at their fingertips which can help them impersonate executives successfully – even without resorting to phishing. Social media websites can provide a high level of detail about specific individuals, which fraudsters may be able to use in order to make messages sound more authentic. Companies’ own websites can also furnish criminals with the identity, job title and email addresses of their own staff. Companies may have legitimate reasons for making this information publicly available – but they should also be aware that in doing so they may be putting their business at risk. As a general rule, companies should not give out any more information than they have to.
All companies have standard operating procedures, but not all have procedures to cover non-standard requests. In order to protect themselves from this type of attack, companies should develop non-standard procedures, as well as a fraud plan that is reviewed and tested regularly. Companies which educate their employees about this topic are typically not the victims of cybercrime.
Some examples of non-standard processes can be developed and tested as follows:
- Instruct employees to be wary of any urgent or confidential requests.
- Never respond by using the 'reply' feature to the email containing the non-standard request. Look up the individual's email address and validate it for accuracy. Inserting slight alterations in an executive's email address is a tactic commonly used by fraudsters.
- Authenticate non-standard requests outside of the channel used to deliver the instructions. Beneficiary or address changes from vendors should be validated by phone, or by asking another individual at the company to create a new email from their source documentation in order to confirm the change.
- Incorporate dual authorization for all non-standard requests. Regardless of the size of the company, dual authorization should, at the minimum, be implemented for specific transaction value thresholds. In order to determine that threshold, companies should ask themselves how much they can afford to lose.
The following points should also be considered when building and testing a fraud plan:
- Time is of the essence when stopping fraudulent payment requests.
- Employees need to know what they should do if they are suspicious of a fraudulent payment. Payments are hard to stop due to deadlines – sometimes it's within a matter of minutes.
- In some cases, embarrassment may prevent staff from immediately reporting fraud to their banks. However, it is essential to alert banks so that proper action is taken to stop the wire or prevent further wires from being sent inappropriately. Once a machine has been compromised, it should also be taken off the company's network until it has been cleaned of malware.
If you believe your staff can’t be fooled by this type of ruse, test them and find out. Set up a test by sending an employee a non-standard request. Does your employee process the request?
It is important not only to test procedures, but also to share recent fraud events with employees as part of an effective fraud education program. Communicating these occurrences is an integral part of any successful fraud prevention training. Cybercriminals prey on companies where staff are not educated and where the proper procedures and controls are not in place. Scammers thrive on unpreparedness, as speed is an important ingredient when successfully stealing a company’s assets.
By incorporating these best practices into their overall security programs, companies can be better placed to protect against payment fraud. Companies may have extensive fraud prevention security measures, but can still fall victim to cybercrime if their employees are the weakest link.
“Fraud is a serious matter and at Bank of America Merrill Lynch we invest and use many resources and time to help clients protect their businesses against fraud,” concludes Murray. “However, fraud is a shared responsibility and client awareness of all the schemes and tactics used in this environment is the first line of defense in fighting fraud.”
Global Digital Channels Solutions Executive
Bank of America Merrill Lynch
- Despite significant and growing risks, many companies are unprepared for risks associated with payment fraud
- Fraudsters, masquerading as a senior executive at the company, try to convince their chosen victim to make a non-standard payment.
- By building clear procedures, covering non-standard payment requests, and rigorously testing them, companies can reduce the risk of fraud.