Protect Your Company from Wire Transfer Fraud
Cyber wire fraud is a pervasive problem, and criminals are growing bolder as they attempt to fool you into wiring funds to bogus accounts. The weapon they increasingly use in these attacks is a familiar one: your business emails.
“The good news is that you can do a lot to protect your company from wire fraud via business email compromise,” said Tammy Gedetsis, Security Education & Awareness Manager at KeyBank. “By learning more about scam attempts and how to deal with them, your finance team can operate as a critical first line of defense.”
- According to a study, 80% of companies reported email fraud scams in 2018, up from 64% in 2014.
- Poor spelling and grammar, requests for unusually large sums of money and rush requests are among red flags of cyberattacks.
- Establishing no-exception practices and procedures for authenticating requests can keep your company from becoming a victim.
The Growing Threat of Business Email Scams
Business email fraud attacks occur when cybercriminals request wire transfers in emails that look like they are from business suppliers that regularly request payments. In 2018, business email compromise attacks set a record, according to a 2019 report issued by the Association of Financial Professionals: An astonishing 80% of companies reported email fraud scams in 2018, up from 64% in 2014.1
“Cybercriminals like wire transfers via business email compromise for good reason,” said Gedetsis. “Amounts of all sizes can be transferred electronically as long as funds in the account are available, and funds are available immediately to the recipient. Once the cash is out the door, it’s gone. And criminals are adept in masking the true identities in their fraudulent emails and making you believe it’s a genuine request.”
Once the wire transfer has been made, it can be a challenge to recover lost funds. “When we issue a recall for a fraudulent wire transfer, it doesn’t mean the victimized company is getting its money back,” said Gedetsis. “It just means we’ve notified the other financial institutions involved of the occurrence of suspected fraud. And the injured party cannot count on the legal system to quickly get its money back, especially if it’s an international transaction. The case may drag on for a long time.” This is only applicable for domestic wires as foreign wires are protected by different regulations.
Number of reports the US Financial Crimes Enforcement Network (FinCEN) has received since September 2016, involving almost $9 billion in attempted theft from business email compromise fraud schemes affecting US financial institutions and their customers.
FinCEN Advisory, July 16, 2019
Common Methods of Email Fraud
Spoofing and hijacking are two of the most common methods used in email attacks:
Spoofing: The emails pretend to be an executive or professional at a vendor. Sent to the company employee responsible for wire transfers, these emails request that funds be sent to the thief’s account.
Hijacking: This involves hacking into a real email account and sending wire requests for transfers to an account controlled by the criminal.
Watch for Red Flags
Here are some common red flags that should raise doubts when you receive a wire transfer request:
Sender uses poor spelling and incorrect or unbusinesslike verbiage. Fraudsters often use language or terminology that is clumsy or incorrect, including misspellings, poor punctuation, and awkward wording.
Email request involves important changes. Be alert to any changes in accounts and customary practices in wire transfer requests. Businesses don’t switch banks and accounts very often, and any change should raise suspicions.
Request is for a large amount or an unfamiliar purpose. Larger-than-typical amounts and requests for unusual reasons should immediately raise questions.
Sender calls the wire a rush request. Cybercriminals want to get you to act quickly. They know that time is not on their side: The longer you take to review a request, the greater the likelihood that they’ll be thwarted.
Sender insists on communication only by email rather than verbal. The sender may claim to be unreachable by phone, thus making verbal verification impossible. The email message might promise verbal contact after the funds have been wired.
Return email is different from the one customarily used. The email address is similar to a valid address but not exactly the same. Sometimes it’s only one letter that’s different.
Sender is not one of your usual contacts. The sender may claim to be the CEO or senior executive of the vendor, believing that—in an effort to be responsive—you may wire funds without verification.
The overwhelming majority of successful cyberattacks are carried out as the result of human error and/or behavior— some estimate nearly 90%!2
Defend Your Company
While cybercriminals are relentless in their attacks on companies, you can take meaningful action to protect your company from wire transfer fraud via emails:
Use common sense—trust your instincts. Ask questions when dealing with suspicious requests, and don’t be reluctant to do so.
Establish a no-exceptions practice to authenticate return email addresses and account details with every wire transfer request.
When you have any question at all, insist on verifying requests with a trusted source—including the salesperson—using a phone number you know is reliable before you wire funds.
Create approved templates for wires for each company and limit the number of people that may modify them.
Require dual authorization on outgoing automated clearing house (ACH) payments or wires so there are two sets of eyes on payments.
Have established processes on setting up new vendors and editing payment information for existing vendor relationships.
Ensure that all finance professionals handling payment requests at your company understand approval protocols.
Requiring dual authorization on outgoing ACH payments or wires is one way to protect your company from wire transfer fraud via emails.
Above all, take your time—don’t become a victim.
If you suspect you’re the victim of a wire transfer fraud attack, it’s important to act quickly:
- Call the KeyBank Hotline at 1-800-433-0124 (Option 4).
- Verify your identity.
- Describe your concerns on the recorded line—be candid and forthcoming.
To learn more about how you can protect your business from fraud, visit Key.com/cybersecurity.