What your business may learn from the alleged Xoom Corp. fraud
Here’s a multi-million-dollar reminder of the potential risks to your business from the fraud scheme known as masquerading: Xoom Corp. On December 30 the company determined that it had been the victim of a criminal fraud, claiming fraudsters — using employee impersonation to target the company’s finance department — duped them into transferring $30.8 million to overseas accounts.
I’ve been talking a lot in recent months about masquerading. In fact, our Bank just released a video, “60 Second Download: Masquerading” (see below), to help educate businesses about this form of fraud, in which hackers impersonate a CEO or CFO and either phone or email someone in the company to request a confidential wire transfer to another company. But that other company does not actually exist. The employee, believing the executive’s request is legitimate, then contacts the business’s bank to request the wire transfer.
One way to help prevent this type of fraud is to establish a multi-person approval process for transactions above a certain dollar threshold. Two or more approvals are preferable to help protect against internal and external fraud.
Here are 5 more tips that may help you and your organization protect against masquerading:
1. Confirm that any request to initiate a wire is from an authorized source within the company.
2. Double- and triple-check email addresses to help ensure messages are not coming from a fraudulent domain with a slightly different address from your company’s domain.
3. Slow down. Be on high alert for possible fraud anytime wire transfer instructions include tight deadlines.
4. Be suspicious of requests for confidentiality. Whenever wire transfer instructions specify to keep the transaction secret, you should verify the legitimacy of the source of this request. Speak to the executive or manager requesting the transaction by phone or in person. If you still have doubts, speak to another senior executive.
5. Similar to checks for paying large purchase orders, wire transfers over a certain dollar threshold may be matched to a reference number to help ensure they are linked to an approved purchase or service.
Xoom Corp. indicated in the disclosure about its recent losses that it has implemented additional internal procedures, and its audit committee is reviewing those controls and processes as part of the investigation of the incident.
Your business may be able to learn from Xoom’s experience and take steps now to help protect against masquerading.
If you have questions or thoughts about masquerading and wire fraud, post them in the comments section, and I’ll respond. You can also watch our video here: