6 tips to protect against new cyber threat: masquerading
Wire fraud against businesses is taking on a new form. There’s an emerging category of cyber-crimes that I’ve begun referring to as “masquerading.”
Federal authorities alerted those of us in the financial services industry late last month to the increased reports of wire fraud tied to masquerading, in which criminals impersonate an executive within a company to perpetrate wire fraud.New approach thwarts security systems
The scheme is essentially a new twist on an old threat. Last year, fraudsters were able to pose as a business client of a bank by hacking a business’s email system. Once inside and posing as company executives, the criminals could send emails to the bank to request wire transfers from the business’s account to a bogus account (usually outside U.S. borders) controlled by the criminals. Banks put the kibosh on these scams through stepped-up security around wire transfers.
In the new masquerading attacks, hackers can impersonate a CEO or CFO and either phone or email someone in the company — let’s say, the controller — requesting a confidential wire transfer to a non-existent company used for the fraud. The controller, believing the CEO’s email or phone call is legitimate, then contacts the bank to request the wire transfer.
Now, the bank’s security checks and balances may not protect the business because the controller believes the wire request is legitimate and may insist that the transaction go through right away.
Criminals perpetrating masquerading attacks can try this against a thousand or more businesses, and if they succeed can make off with thousands, if not millions, of dollars.Ways to protect your business
Wire fraud involving masquerading appears to be on the rise. Here are six security tips to help you spot and thwart potentially fraudulent requests for wire transfers:
1. Confirm that the request to initiate the wire is from an authorized source within the company.
2. Double- and triple-check email addresses. A common masquerading trick is to modify an email address slightly so an employee does not notice that the message is from a fraudulent domain. By replacing the “w” in our company’s name with a double “v,” for example, a masquerader could send emails from Bankofthevvest.com.
3. Establish a multi-person approval process for transactions above a certain dollar threshold. Two or more approvals are preferable to protect against internal and external fraud.
4. Slow down. Speed is the fraudster’s ally and your enemy. Fraudsters gain an advantage by pressuring employees to take action quickly without confirmation of all the facts. Be on high alert for possible fraud anytime wire transfer instructions include tight deadlines.
5. Be suspicious of confidentiality. Whenever wire transfer instructions specify to keep the transaction secret, you should verify the legitimacy of the source of this request. Speak to the executive or manager requesting the transaction by phone or in person. If you still have doubts, speak to another senior executive.
6. Many companies require a valid purchase order number and approval from a manager and the finance department to spend money. Similarly, your business can require that all wire transfers over a certain dollar threshold be matched to a reference number to ensure they are linked to a previously approved purchase or service.
Wire fraud is a significant problem for businesses. Fourteen percent of businesses experienced wire fraud last year, up from 11% the prior year, according to the Association for Financial Professionals’ 2014 AFP Payments Fraud and Control Survey.
The best defense against wire fraud is for your business to have rock-solid procedures, such as dual authorization for large-dollar transactions, and to back up those procedures by training your team members so they recognize the signs of suspicious activity within your company.
Have questions or suggestions about preventing wire fraud? Post questions or thoughts in the comments section, and I’ll respond.