By: Leslie Anderson, SVP U.S. Head of Business Banking, Treasury & Payment Solutions
Technology has enabled businesses to execute transactions in minutes. The downside is that it’s made it easy for thieves to conduct their business quickly, as well. Hundreds of thousands of dollars can disappear from your account in less than an hour after receiving an email request for a wire transfer. Fraudsters know this.
Today’s hackers are exceptionally patient and pay thorough attention to detail. They’ll lurk in your email system for months to study your habits, your chain of command, your routines with your outside partners, even your travel plans.
As you’ll see from the case studies below, that patience often (literally) pays off. More and more, we’re seeing how fraudsters can use the information they gain to trick companies of all types and sizes into making fraudulent wire payments through a simple email request.
An Illinois food distributor with annual revenue of more than $20 million.
The company received an email that appeared to be from one of its vendors with new wire instructions to pay an invoice. The email appeared legitimate, including the same signature line the vendor has used. It also arrived at the time the vendor usually requests payment, and for an amount that did not appear out of the ordinary — both indicators that the fraudsters had been monitoring the company’s correspondences.
The company realized there was a problem when the real vendor contacted them to inquire about a late payment. Because three weeks had passed before the fraud was discovered, the loss was more significant than it would have been if the company had immediately realized what happened.
THE WARNING SIGNS
The vendor was located in the Philippines, but the fraudulent email requested funds to be transferred to a bank in Romania (the typical vendor invoice specified a bank in the Philippines). That type of change should have raised a red flag.
$23,500 put at risk.
Because the company had a level of comfort with their vendor, they weren’t as diligent as they should have been in verifying the request. The company now verifies all email wire requests by phone with individuals authorized to make a request.
Out of Office, Out of Funds
A Florida-based manufacturer with annual revenue of more than $5 million.
The company controller received an email she thought was from the company president, requesting an immediate wire transfer to facilitate an equipment purchase. She tried to call the president to confirm but was unable to reach him. She then attempted to reach him by email. After receiving a (fraudulent) reply, she authorized the payment.
After speaking with the vice president of finance, the controller learned the president was on a flight, which was why he wasn’t returning her calls. When she finally spoke to the president, she realized it wasn’t a legitimate request and that the president’s email had been hacked.
The format of the email mimicked prior communications, and the fraudster appeared to know when the president was traveling — both indicators that the fraudster had been closely studying his email communications. Also, because the wire amount was so specific, it didn’t initially raise any alarms.
THE WARNING SIGNS
At first glance, the email appeared to be legitimate. But closer inspection revealed errors in the sender’s email address and the recipient’s details.
$98,500 put at risk.
Despite having dual controls in place, the controller circumvented the system by using two user IDs to execute the wire transfer. The company now requires three people (the president, VP and controller) to be in agreement before approving any wire transfers or changes to wire information.
Taking Advantage of the Temp
An Illinois-based manufacturer with annual revenue of more than $20 million.
While the company’s full-time controller was away on leave, her replacement received an email requesting an international wire transfer from what appeared to the company’s owner. Because he was known to request wires through email, she executed the wire. She quickly realized she should have verified it first. After contacting the owner, she realized her mistake and contacted the bank to start the process of recalling the wire.
THE WARNING SIGNS
The sender’s name matched the company owner. But if the interim controller had examined the email address associated with the sender, she would have noticed that the address was completely incorrect.
$27,800 put at risk.
The company now always verifies wire requests by phone with individuals authorized to make a request.
A Wisconsin-based manufacturer with annual revenue of more than $10 million.
The controller received an email disguised as coming from the company president urgently requesting a wire transfer. Because the president of the company would frequently email his finance staff payment requests, which would often be approved without validation, nothing appeared out of the ordinary.
But the president’s email account had been compromised. In fact, the fraudster apparently had access to the system long enough to carefully mimic the style and tone of previous emails requesting wire payments. It also appears that the hacker knew the controller was the single point of contact for authorizing wire payments.
After the controller authorized the request, she informed the CFO, who noticed the wire instructions looked suspicious. Most notably, the receiving bank was located in China, which would have been out of the ordinary for a request coming from the company president.
THE WARNING SIGNS
Other people within the company had previously known the president’s email account had been hacked. However, there was no internal communication alerting the staff to this fact. If the breach had been communicated, the controller would likely have been more thorough in verifying wire requests.
$75,000 put at risk.
Prior to the event, the company had been working around its dual authorization process by having the controller in possession of two user IDs to initiate and authorize wire payments. The company is now following better internal processes, including:
- True dual authorization.
- A callback process to validate the authenticity of requests by phone to the individual approved to request a wire.
Enforce Dual Controls
Implement — and enforce — dual controls, which requires two individuals to approve a wire transfer.
Pick Up The Phone
Call the number you have for the individual authorized to request a wire transfer — don’t rely on the number provided in an email message.
Follow Email Protocol
When replying to emails, delete the information in the “To” field and manually enter the contact information you have on record. That can help stave off phishing scams.
Consider Electronic Funds Transfer
When possible, use same-day EFTs, which makes it easier to recall payments.
Enforce Authorization Procedures
Don’t be afraid to call the head of the company to verify wire requests. Conversely, owners and CEOs should understand why the finance department needs to call them, and they should comply with proper authorization processes, as well.
Limit Exploitable Information
Don’t set up “Out of Office” automated email replies. Fraudsters who get access to your account will be able to know when you’re away and use that to their advantage.
Customize Payment Requests
For regular vendors, create wire transfer templates that can only be accessed by a single authorized requestor and approver. Also, any changes to banking information will require two people to authorize the change.
Recognize Vendor Behavior
Know your customers. Recognize any changes in behavior in your communications, such as a request that includes a different payment location.
Apply extra scrutiny to international wire requests.