6 ways to help protect against the spreading threat of masquerading
It looks like masquerading — a type of wire fraud that is proving particularly difficult to thwart — may become a $1 billion industry this year.
- Xoom Corp. recently disclosed it lost $30 million through fraudulent money transfers.
- Ryanair disclosed it lost $5 million.
- Scoular Co., an Omaha-based commodities trading company, reportedly lost $17 million in an international email fraud scam.
If you add the losses from these three cases and other recent incidents to the FBI’s estimate of $215 million in similar types of business email fraud last year, then I don’t think it’s far-fetched to expect losses from masquerading to top $1 billion by the end of 2015.The hackers’ tell-tale tactics
In a masquerading attack, hackers impersonate someone you or your business knows, such as the CEO or CFO or a vendor the company does business with. The hackers phone or email someone in the company — for example, the controller — requesting a wire transfer. The controller, believing the email or phone call is legitimate, then contacts the bank to request the wire transfer.
Masquerading can take other forms outside of business. Hackers may impersonate a friend or relative traveling abroad or a child away at college requesting money. Masqueraders can impersonate anyone you or your business send emails to or do business with.
Frequently, a bank’s fraud-prevention department will call back a business requesting a large wire transfer to verify information and confirm they want to proceed. But typically the controller or someone else with financial authority will insist the wire transfer request is legitimate and will verbally authorize the bank to proceed. Once the transfer goes through, it is very difficult to recoup the stolen money.6 tips to protect against masquerading
Here are six security tips to help you spot and thwart masquerading attempts on your business:
1) Confirm that the request to initiate a wire transfer is legitimate and from an authorized source within the company, or is coming from the actual person requesting it. If the request is an email, then call and speak to the person. If the request is via phone call, then use email to confirm. Use an alternate mechanism to verify the identity of the person requesting the funds transfer.
2) Double- and triple-check email addresses. A common masquerading trick is to modify an email address slightly so an employee does not notice that the message is from a fraudulent domain.
3) Use a multi-person approval process for transactions above a certain dollar threshold. Depending on the size of your business, $7,500 might be a reasonable amount to trigger further scrutiny. Two or more approvals are preferable to protect against internal and external fraud.
4) Slow down. Fraudsters gain an advantage by pressuring employees to take action quickly without confirmation of all the facts. Any time wire transfer instructions include tight deadlines, watch for possible fraud.
5) Be suspicious of confidentiality. Whenever wire transfer instructions specify to keep the transaction secret, you should verify the legitimacy of this request. Speak to the executive or manager requesting the transaction by phone or in person. If you still have doubts, speak to another senior executive.
6) Many companies require a valid purchase order number and approval from a manager and the finance department to spend money. Similarly, your business may require that all wire transfers over a certain dollar threshold be matched to a reference number to ensure they are linked to a previously approved purchase or service.
Your best protection against masquerading and other types of wire fraud is for the business to have sound procedures, such as dual authorization for large-dollar transactions, and to back up those procedures by training your team members so they recognize the signs of suspicious activity.
Have questions or suggestions about preventing wire fraud? Post questions or thoughts in the comments section below.