Businesses must maintain awareness of, and vigilance against, the constantly evolving, and increasingly sophisticated threats in the electronic funds transfer (EFT) landscape. A recent Survey and a Federal Bureau of Investigations (FBI) Alert support this conclusion. (The Association of Finance Professionals (AFP) 2015 Payments Fraud and Control Survey can be found at: www.chase.com/content/dam/chasecom/en/commercial-bank/executive-connect/common/document/afp-payments-fraud-results.pdf. The Alert can be found at: www.ic3.gov/media/2015/150122.aspx.
A significant proportion of the businesses surveyed experienced losses from wire (27 percent), ACH Debit (25 percent) and ACH Credit (10 percent) fraud. (With ACH Credits, customers initiate online payments and with ACH Debits, customers authorize businesses to make electronic withdrawals).
Businesses surveyed said the most common reasons for ACH fraud losses included: (i) the failure to use ACH debit blocks, filters or positive pay – 76 percent (ii) untimely reconciliations – 28 percent (iii) gaps in online security controls/criminal account takeover – 24 percent. The most effective methods to combat ACH frauds included: (i) ACH positive pay (ii) daily reconciliations and other internal procedures and (iii) segregation of duties. (With debit blocks and filters, the bank does not post EFT payments to the business’ bank account, unless they meet pre-determined criteria. With positive pay, the bank provides the business with details of the rejected transactions and the opportunity to make a “pay or no pay decision”).
As a result, 70 percent of the businesses reconciled EFT transactions and investigated unusual items daily. 50 percent added layers of security or stronger forms of authentication, and 40 percent were upgrading their authentication procedures/devices used to access their networks.
The FBI Alert also provides insight into EFT payment frauds, specifically Business Email Compromise (BEC) Scams. Spanning 45 countries, over $214, 972,000 in losses and victims ranging from small to large businesses, there are three main versions of the scam:
- The bogus invoice scheme/supplier swindle: Scammers pose as a vendor, by spoofing (i.e. closely mimicking) a vendor’s email address, or use other media to make a bogus request to pay funds to an alternative bank account controlled by the scammer.
- The CEO fraud/business executive scam: Scammers hack or spoof a high-level executive’s email account and request an urgent wire or transfer to the scammer’s bank account.
- Other: An employee’s personal email account is hacked, and the scammer, posing as the employee, uses the email account to ask a vendor to make payments to the scammer’s bank account. The scam is usually discovered when the vendor follows up on the status of the payment.
Gone are poorly-worded emails, mass-mailed as a stab in the dark. BEC emails are well-worded, well-crafted and well-researched:
- Emails are sent directly to the individuals responsible for initiating EFTs.
- Spoofed emails very closely mimic legitimate addresses.
- Emails appear legitimate because they are based on plausible information gleaned from social media, security breaches or other reliable means.
- Emails are well-timed for efficacy, for example to coincide with the spoofed executive’s overseas travel.
- Scams are often preceded by security intrusions or phishing emails seeking details the fraudster lacks.
To add insult to injury, an insurance company could refuse to pay claims related to certain BEC Scams, on the basis that the duped businesses made the transfers voluntarily.
The FBI and other security experts offer various suggestions to guard against BEC Scams, including:
- Equip employees with the right strategies. Train them to:
- Not divulge sensitive information on social media.
- Pay attention to email addresses as spoofed emails can be hard to spot (e.g. [email protected] versus [email protected]).
- Verify suspicious EFT instructions received by email (for example by phoning the sender at a known, bona fide number).
- Escalate and seek appropriate approvals for all requests to change banking information or add payees. These requests should be investigated and verified.
- Delete suspicious emails and spam without opening them or clicking on “unsubscribe” or other links in the emails. They should definitely not click on links purporting to lead to banks’ website. Instead they can type the bank’s web address in the browser or select it from “favourites”.
If these suggestions seem simplistic, think about the results of a controlled test that a security expert recently performed for a client. He spoofed the client’s domain name and emailed employees asking them to click on a link and provide usernames and passwords. A shocking 62 percent of employees did!
- Implement IT controls that may help to thwart scammers, including:
- Getting rid of free, open-source email, as they are often hacked.
- Configuring email servers to reduce spoofing (See Microsoft’s guide at https://technet.microsoft.com/en-us/library/jj723164).Installing up to date antivirus, spyware and malware protection, firewall protection etc.
- Disaster recovery essentials for IT departments - May 4, 2022
- Segregation of duties and accounts payable - April 6, 2022
- Emergency response under the EMS and director and officer liability - March 2, 2022
