Phishing and social engineering attacks to divert wire transfers or invoice payments are not new fraud techniques, but they have recently taken a back seat to ransomware as posing the greatest cyberthreat to businesses. However, over the past few weeks, we have seen a surge in new matters where the fact pattern is the same as it has been for almost a decade:
- The accounting department starts seeing an increase in accounts receivable for one or more customers.
- The accounting department follows up on outstanding invoices.
- The customer reports that he/she already paid the invoices and provides proof of the wire transfer.
- The accounting department alerts the customer that he/she sent the wire to the wrong bank account.
- The customer states that he/she was just following the accounting department’s instructions, attaching an email with “new” wire instructions that appeared to come from the accounting department.
The email, of course, is not from the accounting department but from a fraudster. Sometimes the bad actor compromised an accounting department employee’s email account to find customers, steal invoices and gain an understanding of the cadence and manner of billing emails. Sometimes the bad actor compromised the customer’s email account for the same purpose and then used an email that looked enough like the vendor’s accounting department email address to trick the customer. But whatever the method of access and communication, the two entities share the same outcome: Money has been paid to bad actors, and it is highly unlikely that it will be recouped, even with law enforcement intervention.
Our team has handled hundreds of matters like this over the years, and businesses of all sizes continue to fall for this scam. One common theme of all these incidents is that most are preventable by employing certain policies, conducting awareness training and implementing low-cost technical measures.
How to Help Prevent Fraudulent Wire Instructions
Here are a few tips to lessen the risk that your business will fall victim to wire transfer fraud:
- Establish a bank account change policy for receipt of wire transfers or invoice payments. It’s as easy as picking up the phone! Require that employees verify all requests to change bank account information by customers, vendors or business partners by calling a known telephone number – but not the telephone number in the email with the request.
- Provide education and awareness training for your employees who deal with transfers. Make sure employees who deal with payments are aware of the threat and the policy to verify all requests to change bank account information by phone. Follow up with training and reminders on a periodic basis. Also, alert employees that in the event of a suspected transfer to a fraudulent account, quick reporting may improve chances of recovery.
- Enable multifactor authentication for web-based email access. Enabling multifactor authentication will make it more difficult for bad actors to access an account remotely via web browser with credentials captured in response to a phishing email.
- Enable “impossible travel” alerts. Most commercial email services can be configured to alert the email administrator to suspicious logins through impossible travel alerts, which are triggered when an email account is accessed from two locations within a time span that would not allow for travel between the two locations. This will alert your information technology resources to investigate a potential compromise shortly after suspicious activity is detected.
- Geo-block email access. Most threat actors are accessing compromised email accounts from internet provider addresses that resolve to countries outside the United States. Geo-blocking email access from areas of the world where a business does not have employees is also helpful to thwart this style of attack.
- Raise awareness and educate business partners. A simple, proactive email from your accounting department to business partners or customer accounts payable counterparts can help raise awareness and thwart future fraud attempts.
* * * *
Below is a sample message to send to appropriate business partner and customer contacts.
We have seen recent news stories about malicious attempts to convince clients or customers to wire money to fraudulent bank accounts. We value our relationship with you and want to provide you with information to help prevent such an incident.
First, we will never send you via email a request to wire or transfer funds to a different bank account. Any request to change wire instructions will be communicated offline. We have not changed our bank accounts or banking relationships, and we have no intention of doing so in the future.
Second, if you receive an email from us that seems suspicious, please do not hesitate to call a known contact within our organization to confirm that the email is legitimate. You should use a known phone number to call the person, not the phone number from the suspicious email, as attackers sometimes change that information and route calls to a different person.
If you want to learn more about this type of scheme, the FBI has published several alerts over the past few years about business email. These alerts can be found at https://www.ic3.gov/media/2019.aspx.
If you have any questions or concerns, please do not hesitate to contact [your dedicated point of contact] OR [name/contact information of designated person to respond to inquiries].
* * * *
How to Respond If You Discover You Are a Wire Fraud Victim
There are a number of practical concerns to address after a business discovers it has been the victim of a wire fraud scheme:
- Getting the Money Back: Recouping the transferred funds becomes less likely as time passes between the fraudulent transfer and contact with the bank from which the funds were transferred. Contacting your bank followed by calling your local FBI, Secret Service field office or privacy counsel and reporting the incident on the ic3.gov website immediately upon discovery are essential first steps.
- Determining How It Happened: Identifying whose email account was compromised by the bad actors is important when negotiating whether the vendor or the customer should shoulder the loss. But there can be greater implications. Attackers often use compromised accounts to find other personal information – such as Social Security numbers, W-2s and financial account information – to perpetrate additional fraud. If this type of information resides in the compromised email account, the business whose email was compromised may have additional legal obligations based on state or federal data breach notification laws or contractual clauses with other business partners. A forensic analysis of how the incident happened also can help determine whether any other customers or business partners were similarly contacted or whether other email accounts within the organization have been compromised and used maliciously.
- Determining What Insurance Covers: Whether insurance covers wire fraud depends on the policy. Your insurance broker can help you determine what coverage you have or could obtain for this type of loss and in what circumstances coverage responds.