Wire Transfer Fraud: Protecting Your Business from Social Engineering Cyber Theft

Mark Van Divner, Chief Information Security Officer, First Republic

October 5, 2015

Fraud enacted against businesses is now more pervasive than ever. While many businesses have instituted effective safeguards to protect themselves against many forms of cyber-crime, there is a new breed of fraud tactic that businesses might not catch so easily even though there are telling ways of identifying it.

This new crime is social engineering fraud – using a company’s chain of command against them via email communications in order to gain access to large sums of money or sensitive information.

The consequences of social engineering fraud can be costly for any business, but by staying informed and alert, and employing three simple security best practices, you can be prepared to identify and handle even the most subversive of these attacks.

What is Social Engineering Fraud?

In a social engineering fraud cyber-crime, the perpetrator penetrates a company’s email system through email spoofing (manipulating the email transmission protocol into making an email appear to come from a legitimate email address) or traditional password stealing and hacking methods in order to position themselves where they can monitor an individual’s email account in order to await the opportune time to insert themselves into the conversation to commit fraud. Just when the victim is waiting for money wire instructions from the other person (often a vendor, business partner or someone higher up in their organization), the fraudster steps in and provides those instructions.

The money the business owner wires — thinking they’re sending it to the vendor, supplier, or partner who is expecting the funds— actually goes to the fraudster’s bank account. Then, before the victim realizes what’s happened, the money is often transferred out of the United States and is unrecoverable.

This kind of attack is increasingly common; the FBI recently issued a warning stating that losses through these email attacks are expected to top $2.1 billion dollars.

How to Protect Against Social Engineering Fraud

Being tricked by this new incarnation of social engineering fraud isn’t an inevitable scenario. Here are three steps chief financial officers and other target-level executives can take to protect themselves against big losses:

  • Check Account Details: Even a long-standing vendor can be the source of the money wire scam. Once a fraudster has identified an unsuspecting vendor and their customer, they build emails and invoices that are identical to the ones businesses are used to receiving and fulfilling, except for one detail: the account number is new. For the payer, confirm any changes in vendor billing information by calling the vendor on a phone number you have on record (not a number provided in a suspect invoice or the body of the email).
  • Call Your Bank: If a business identifies a suspected fraudulent transfer, they should call their bank’s fraud department immediately for help in recovering any lost funds.
  • Implement and Follow Controls: One key to protecting against all of these examples of social engineering fraud is for businesses to implement dual control for financial transactions. Dual control requires two people to be involved with setting up and releasing funds. This process will make it much more difficult for a fraudster to perpetrate a fraudulent transaction as dual control requires collaboration between the appropriate individuals.

Having dual controls is one of the single most helpful strategies you can implement to secure your wire transfers, as it’s more difficult to fool two people than to fool one. Make sure not to circumvent these controls by sharing password or security authentication tokens, as you can increase your exposure to fraud as well as placing your bank at a disadvantage while monitoring for fraudulent activity.

If you are still unsure about any aspect of social engineering fraud, contact your bank or financial institution and ask them what you can do to protect yourself. It may mean extra safety measures, but when the stakes are hundreds of thousands of dollars, you’ll be glad you followed them.

©First Republic Bank, 2015