The term “Wire Transfer Fraud” started in the origin of this type of crime – wire transfers, which is the transfer of funds between banks across telegraph wires and shortly thereafter phone lines. It has grown to cover any bank fraud that involves electronic communication mechanisms instead of face-to-face communication at a financial institution. It also involves the fraudulent attainment, by way of false pretense, of banking information to gain access to another person’s bank account.
This kind of attack against businesses and other organizations (municipalities and schools have been hit hard by this kind of attack) has become a significant threat to an organization’s financial well-being. Much of business today is conducted remotely – either over the phone or (more often) through email. Without that face-to-face verification of someone’s identity, it is possible for an attacker to trick either party in a transaction into transferring money to their bank account instead of the intended recipient’s, or deceiving a party into thinking that a transfer of funds is necessary when it is not, providing fraudulent bank account information.
Two real-world examples illustrate the most common methods these attackers use to accomplish wire transfer fraud (neither takes particular technical skill):
Example 1: The CEO’s Urgent Request
An email shows up in a CFO’s inbox (he or she handles mergers and acquisitions). The email is from the CEO who says to the director that earnest money for the new purchase has to be transferred by the close of business today or the deal will fall through. The email provides account information for the money transfer and includes a personal apology for the “fire drill” but “you know how these things can fall apart.”
The director initiates the transfer only to find out that the email was not sent by the CEO and that the money was sent to a fraudulent account and is now gone. The request came in on a Friday and it wasn’t until Monday that the truth of the situation came to light. This was a publicly-traded company and there was a public record of a letter of intent to purchase the company. The attacker created a very targeted and very realistic-looking email that seemed plausible given this specific information.
Example 2: The Sneaky Reroute
A company’s remote location uses Microsoft’s remote desktop protocol (RDP) to allow the central office to remotely log into their systems for administrative purposes. This access was not locked down to specific source IP addresses and was available to the entire Internet. Exploiting an unpatched vulnerability on the system, an attacker was able to take control of the workstation.
Once on that system, they worked their way through the network to the workstation of someone in the finance department. They checked the email on the host periodically and watched activity until they saw a large transfer was being arranged to an overseas factory (they were on the system for over 6 months waiting for something interesting to happen that they could exploit). They altered the account information in the form that was emailed to point to another, fraudulent account.
The money was transferred (over $1.5M) and no one noticed until the supplier called and asked when that money was going to get transferred. By then the attacker was long gone with the money and the account was closed.
What can I do to prevent wire transfer fraud?
Most wire transfer fraud involves one-off or infrequent payments or fund transfers (or one for which automated mechanisms are difficult or not allowed, such as international wire transfers). As a result, these transfers and payments do not use automatic computer-to-computer transfers.
Organizations must develop written procedures with multiple-party verification steps and approvals to ensure that the transaction is authentic and that the account information is accurate. This written procedure is then used for any bank or payment card transaction that involves the exchange of account information. While this does slow things down, it greatly reduces the chance of a fraudulent transaction from occurring.
If account numbers are exchanged, steps must be taken to authenticate both parties to each other by phone or in-person preferably. If verifying by phone, ensure that the phone number is the correct phone number for the intended party. Having a second party review these transactions ensures that the data in the transfer is correct and appropriate.
Having this entire procedure documented and recorded makes legal and insurance efforts easier in the event that fraud still occurred. Obviously, just having a documented procedure means nothing if all relevant personnel are not trained in the procedure and that its use is audited and reviewed regularly for compliance.
Each organization would likely form their own variation of wire transfer verification procedures. Based on the incidents we investigate, the following process is fairly simple and will combat this threat, especially when social engineering is involved.
For example 1, the CEO’s urgent request, this process would have stopped the attempted fraud in its tracks.
- CFO receives the email from the CEO requesting the urgent transfer
- Check if the email address is actually the CEO or if it is just a message displaying as the CEO.
- If the message is from another email address under the CEO’s name, disregard the message and report the attempted fraud to the internal IT or information security team.
- If the message is from the CEO’s trusted email address, the CFO needs to investigate further
- Call or meet with the CEO and ask if he or she sent the email requesting the urgent wire transfer.
- If he or she did not request the transfer, disregard the message and report the attempted wire transfer fraud to the internal IT or information security team.
- If he or she did legitimately request the transfer, confirm the transfer amount and destination account information.
- Be sure to establish a back-up contact in case the CEO is unavailable to confirm over the phone or in-person. This person could be the CEO’s administrative assistant or another member of the C-Suite.
For example 2, the sneaky reroute, the process may be a bit more technical:
- Lock down all remote access to only allow access for specific source IPs to make sure remote traffic is legitimate.
- Update and patch all systems regularly to reduce the number of potential exploits.
- Check for auto-forwarding rules within email accounts. If attackers gain access to email accounts, they may setup auto-forwarding rules so they can monitor conversations and intervene when a wire transfer is the subject of conversation.
- Compile a list of trusted contacts and contact information for any entity your organization may transfer money to.
- Similar to example 1, whenever a wire transfer is requested, confirm the amount and destination account with both the sender and the recipient either in-person or over the phone.
As mentioned earlier, these processes will only be effective if they are documented and disseminated across your team and covered in such a way that ensures everyone’s understanding and adherence.