In recent years, the FBI has issued multiple warnings about the Business Email Compromise scam. This phishing scam comes in several forms. Hackers often pose as company executives in emails and order employees to process wire transfers for confidential or time-sensitive business transactions. Hackers will also pretend to represent foreign suppliers, send bogus invoices to American companies, and request payment via wire transfer. An employee’s email account may be hacked, allowing the hacker to fraudulently issue invoices on behalf of multiple vendors and request wire transfers to the hacker’s bank accounts.
FBI data shows that 22,143 cases of fraudulent transfers totaling approximately $3.1 billion were initiated between October 2013 and May 2016. According to Trend Micro, organizations victimized by the Business Email Compromise scam lost an average of $140,000 per attack, with the highest number of attacks occurring in the U.S.
Another emerging wire fraud scam involves Same Day ACH (Automated Clearing House) payments, which have only been available since September 23, 2016. Same Day ACH allows payments to be settled in hours rather than taking one or more business days. The immediacy of Same Day ACH, and the high volume of payments, are appealing to hackers, who can take advantage of shorter payment windows by sneaking in fraudulent transfers.
Hackers have also been modifying recipient accounts on scheduled ACH batches. This form of payee edit fraud is difficult to for the sender to detect because recipient accounts are rarely re-verified just before they are sent. By the time the recipient reports that money has not been received, the hacker already has their money. Hackers are increasingly targeting a higher number of small transactions rather than focusing solely on larger transactions, which tend to have better protection.
So why are we seeing this spike in wire fraud scams? Hackers are getting much better at deception and persuasion, which is why people still fall for these and other scams. Money lost in a wire transfer is extremely difficult to recover. Most fraud filters used by banks aren’t capable of evaluating all of the moving parts of such a scam – each individual transaction, account histories for both incoming and outgoing funds, the batches within a file, behavior associated with a particular file, etc. Although automated fraud detection systems are used, most monitoring of flagged transactions is still manual. Many attacks are automated and carried out by bots, and humans just can’t keep up.
There are a number of steps organizations can take to avoid falling victim to a wire transfer scam:
- Require strong authentication for logging into email, receiving payment information, and processing a request to change existing information.
- Confirm payment information by using a different communication channel instead of simply replying to an email.
- Provide clear instructions to business partners and vendors about the proper procedures for communicating payment information.
- Educate and train all employees, and require them to verify everything before initiating payment. A delay is far less costly than a transfer to a fraudulent account.
If you suspect that you’ve been victimized by wire fraud, notify the sending and receiving banks and law enforcement immediately. Also, investigate your email system and encourage affected third parties to do the same.
