Wire transfer fraud continues to be a serious problem for businesses of all sizes so I thought a quick video and post on what’s happening, how it happens, and how to prevent wire transfer fraud would be appropriate.
Most wire transfer frauds occur via email where a hacker posing as a vendor requests your bookkeeping department to wire funds on an invoice to a new bank account.
Sophisticated hackers often look and sound exactly like your vendor and often will know the amount due on your next invoice, which only further reinforces their legitimacy to your bookkeeper.
How does wire transfer fraud happen?
Hackers have either compromised your email system or your vendor’s email system and have been reading email traffic back and forth so they can email you with a high degree of confidence that they will trick you.
Hackers will also spoof an email address so it looks like it’s coming legitimately from your vendor.
So, your bookkeeper gets the email, thinks it’s legit, changes the banking information, and wires the money due to the hacker who is impersonating your vendor.
Once the funds clear, they withdraw the funds and close the bank account so it’s not tracible.
Most of these transactions move funds offshore to foreign banks outside of the reach of the FBI.
Prevent wire transfer fraud with my 3 suggestions. It’s super important and it’s pretty simple.
Here are my 3 suggestions:
- Educate your employees, especially those with control over the money that these frauds are commonplace and can hit your company.
Then reinforce that education on a regular basis. - When an employee gets an email from a vendor requesting that bank information is changed, they must view it skeptically and call their contact at that vendor.
A phone call must be made, not an email, and do not call the person who sent the request or the number in that email signature line as it could be the cybercriminal on the other end of the line. - If your employee verifies via telephone a change of banking info appears correct, they bring the request to the management.
Depending on the size of the company it may be the president/owner or another c-suite executive.
That executive verifies it again with another phone call and if possible to someone other than the person the bookkeeper verified it with.
If the executive is satisfied that the request is legit, they approve the bank information to be changed.
These three steps will help prevent costly mistakes.
Like a lot of risk controls, there can be absolutely no exceptions to this process.
Why am stating this so strongly?
Because cybercriminals are so adept at this trickery and create such urgency in these emails that employees often fall victim to the scam and the only way to really prevent it is to have a double-check system.
Now, keep in mind this is the human side of controlling this risk.
As always you need to have a secure and managed network.
Finally, does cyber insurance cover wire transfer fraud?
Yes, in most cases cyber insurance covers wire transfer fraud, but it’s important to understand that if you have a wire fraud loss and you didn’t enforce secondary authentication, that claim may be denied, or you may have a very difficult renewal, or your premiums can escalate greatly.
Take the steps necessary to prevent fraud and potential problems.
Have other questions on cyber risk or insurance?
Why not contact us?
I’d love to hear from you.
Thanks
