By: Carol E. Roland, CPA, CFE, CGMA, MBA, Trout CPA
In 2021, the FBI received 19,954 business email compromise (BEC) complaints with adjusted losses of nearly $2.4 billion, up from $1.8 billion in the prior year – a 33% increase!1 Many of these losses result from wire transfer fraud. Fraudsters have become more sophisticated, and their schemes have evolved to stay ahead of the preventative measures that are developed. Cybercriminals don’t discriminate – both small businesses and public companies are targets and victims of these schemes. In many cases, the wired funds are immediately converted to cryptocurrency by the recipient, making recovery virtually impossible.
One of the common schemes involves an executive’s email being hacked. The fraudster uses the hacked email address (or similar email address) to send an email directing an employee to wire funds. Another scheme uses a compromised vendor email address (or similar email address) and instructs an employee to change the vendor’s wire payment account number and/or routing number (or requests payment by wire when the vendor has historically been paid by check.
Most organizations have policies and procedures to protect them from fraud losses in the typical payment transaction (i.e. payment by check). However, processes and procedures to protect the organization from losses related to electronic payments (ACH and wires) may not be as well-defined. Below are some suggestions you should consider implementing to protect your organization.
• Implement dual control and segregation of duties for electronic payments. For example, one employee initiates the wire and another employee authorizes/releases it. If your bank can’t accommodate this control, inquire about a call-back procedure where the bank calls a specified individual to authenticate each wire initiated.
• Verify information received in an email, even if the email is clearly from a trusted source. You should place a verification call using a phone number from another source to confirm the authenticity of every payment request and change in wiring instructions. Never use the phone number from the suspect’s email.
• Be suspicious of requests for urgency or secrecy, such as instructions to only reply to the email, do not forward the email, or do not attempt to contact the sender by phone.
• Be wary of emails from free email services such as Gmail.
• Many of these fraud threats originate overseas, so treat poor grammar, punctuation, or awkward wording as a red flag.
• Educate your employees about email scams and other fraud threats.
• Look for slight variations in an email address. Don’t assume, however, that an email from a valid email address is authentic. You should still verify that any payment request is proper.
• Never send sensitive information in an unsecured email.
• Monitor bank accounts online frequently and reconcile all accounts in a timely manner.
• If your bank offers multifactor authentication, enable it.
• Keep cybersecurity defenses up to date.
• Review your business insurance policy. Does it cover financial losses resulting from cybersecurity fraud?
If you suspect that your organization has been the victim of wire fraud, contact your financial institution immediately and ask them to contact the recipient bank. If they refuse, you should contact the recipient bank directly. In addition, you should inform the FBI.
Sources: 1FBI. (n.d.). 2021 INTERNET CRIME REPORT. Internet Crime Complaint Center. Retrieved July 7, 2022, from https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
Posted November 29, 2022