Who’s really contacting you? Masquerading losses mount
Masquerading – the increasingly popular wire transfer scam in which criminals impersonate a company executive or a known vendor to entice a business to transfer money to a fraudulent account – is still making news.
In recent weeks, an Austrian aircraft parts supplier and a Belgian bank lost more than $125 million to masquerading, also known as business email compromise.
I’ve been blogging about masquerading and talking about it at public events for the past two years. In 2016 we’re likely to see yet more successful frauds like this. Losses so far have been significant, estimated at over $1 billion by the end of 2015. Since the FBI’s Internet Crime Complaint Center began tracking these scams, it has compiled statistics on more than 7,000 U.S. companies that have been victimized. Take a look at the FBI announcements here and here.
Below are some hints to help you protect your business and your employees from different kinds of masquerading.How the hackers operate
Masquerading is a combination of social engineering and a confidence scam, using high-tech tools. The hackers impersonate someone you or your business knows, such as the CEO or CFO, or a vendor the company does business with. They phone or email someone in the company — for example, the controller — requesting a wire transfer. The controller, believing the email or phone call to be legitimate, contacts the bank to request the wire transfer.
Frequently, a bank’s fraud prevention department will contact a business to verify the request for a large wire transfer. But typically the controller or someone else with financial authority, taken in by the hackers, will insist the wire transfer is legitimate. Unfortunately, once the transfer is done, it is very difficult to recoup the money.
In recent times the fraudsters have become much more adept at fooling their targets by doing their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. They work hard to be very convincing.
It’s worth adding that masquerading can take other forms outside of business. Hackers may impersonate a friend or relative traveling abroad, or a child away at college requesting money. Masqueraders can impersonate anyone provided they can get sufficient information to be convincing. (Take a look at my earlier post on sharing information with care.)7 tips to help thwart masquerading attempts
Here are some tips to help you thwart masquerading attempts on your business:1) Confirm that the request to initiate a wire transfer is legitimate. If the request is via email, then call and speak to the person. If the request is via phone call, then use email to confirm. Use an alternate mechanism to verify the identity of the person requesting the funds transfer.
Encourage your employees to build their networks through face-to-face contact, video communication, or by phone. As an additional benefit, studies show that verbal communication rather than email builds better relationships, which should also help your business to succeed.2) Double- and triple-check email addresses. A common masquerading trick is to modify an email address slightly so an employee does not notice that the message is from a fraudulent domain. Create intrusion detection system rules that flag e-mails with extensions that are similar to company email but not exactly the same. For example, .co instead of .com. 3) Verify changes in vendor payment location. Make sure that changes in vendor payment arrangements are flagged and double- or triple-checked for authenticity. 4) Use a multi-person approval process for transactions above a certain dollar threshold. Depending on the size of your business, $7,500 might be a reasonable amount to trigger further scrutiny. Two or more approvals are preferable to protect against internal and external fraud. 5) Slow down. Fraudsters gain an advantage by pressuring employees to take action quickly without confirmation of all the facts. If instructions for a wire transfer include tight deadlines, watch for possible fraud. 6) Be suspicious of confidentiality. Whenever wire transfer instructions specify to keep the transaction secret, you should verify the legitimacy of this request. Speak to the executive or manager requesting the transaction by phone or in person. If you still have doubts, speak to another senior executive. 7) Many companies require a valid purchase order number and approval from a manager and the finance department to spend money. Similarly, your business may require that all wire transfers over a certain dollar threshold be matched to a reference number to ensure they are linked to a previously approved purchase or service.
One of your best protections against masquerading and other types of wire fraud is having sound procedures, such as dual authorization for large transactions. In addition, it’s good to back up those procedures by training team members so they recognize the signs of suspicious activity.