Financial fraud is constantly evolving and becoming a more and more difficult to fight, whether companies or consumers are targeted. Recently, a relatively sophisticated scheme has emerged that uses “spoofing,” a type of identity theft, to trick business people into telling their bankers to send corporate cash to scammers.
These new email and wire-fraud techniques, dubbed “masquerading” by David Pollino, the fraud prevention officer at San Francisco-based Bank of the West, usually siphon money from the victimized business’s account and have it sent electronically (by wire) to a phony offshore firm. Often, the thief poses as a high-level officer – such as the chief executive or the chief financial officer – of the targeted company.
Wire fraud incidents rose last year, affecting 14% of businesses in a payments fraud survey by the Association of Financial Professionals, up from 11% in 2012. Losses for some victims topped $800,000, according to federal authorities. Pollino says businesses can take steps to prevent such schemes from succeeding. But first they need to understand how they work.
The masquerade
Typically, fraudsters must do some homework first.
“For example, criminals might go through social media to figure out who the CEO is of a construction company,” Pollino says.
Then they hack into the business’s email system. After gaining access, the scammer, using the name of a high-level executive, sends an authentic-looking message through the company’s computers to a subordinate with access to the cash, such as the controller or a financial manager, ordering a wire transfer from the firm’s bank to a third-party account. Even if the bank raises questions, it is often ignored because the email that prompted the order is regarded as genuine, Pollino says.
The fraudsters “try to scam or fool the person internal to the company,” Pollino says. Often, the order is marked confidential, making it harder for the recipient to raise questions, he says.
The scammer will create a fake email address that is only slightly different from the CEO or CFO’s real e-mail address – perhaps just a character changed or added – so the employee doesn’t notice that it’s phony. Typically, the bogus message will include an attachment with the wire transfer instructions. Moving funds this way tends to work well for thieves because custody of the money changes in an instant, putting the cash out of the victim’s reach before the scheme is discovered.
On average, businesses have lost about $55,000 when these and similar schemes succeed, but some have reported losing more than $800,000, according to the federal Internet Crime Complaint Center. The scams appear to be Nigerian-based, and most of the victims are from the U.S., U.K. and Canada, according to a recent fraud alert.
Whether there’s any chance for the business to recoup such a loss may depend on its insurance and/or any agreements it has with the financial services provider regarding the handling of wire transfers.
“Each case is unique and if a loss is incurred, it might be up to the individual arrangement that the business has with the bank” to determine who is liable, Pollino says.
Masquerade prevention
With spoofing attacks like these on the rise, companies should put together a strong business process to ensure all wire transfers are legitimate, Pollino says.
“An e-mail should not be enough for a large financial transaction to take place – or even a phone call claiming to be from the CEO,” Pollino says. “There should be additional processes in place to ensure the details of the transaction – the amount, the timing and its legitimacy – are authorized.”
Other good preventive measures to take include verifying the source of the email ordering the transfer, double or even triple-checking email addresses, and establishing a multi-person approval process for transactions above a certain amount, Pollino says. Be suspicious of confidentiality, he adds, as it often masks a fraud attempt.
“With good supplemental business processes, it should be easier for companies to detect this type of masquerading,” Pollino says. Strengthening procedures should also help prevent mistakes and errors, like sending an incorrect amount or addressing it to the wrong account, and internal fraud.
If your business has been victimized, the Federal Trade Commission says to call the money transfer company immediately to report it, then file an online complaint with the agency.
Wire fraud image via Shutterstock
Source Article :http://bit.ly/1tzV6qC
0 comments:
Post a Comment