It’s hard to imagine that, on any given day, over $3 trillion dollars moves via electronic transfer.  Financial institutions make these B2B transactions happen seamlessly on a global scale, and we often take for granted the very simple instructions required (and accepted) between businesses that make single transactions of millions of dollars possible.  Since organizations perform these transactions almost exclusively online, the Internet of things has an inherit opportunity for malicious redirection when company employees become complacent with routine wire instructions.

Responsible organizations follow robust, documented and accepted practices in an environment that embraces process.  The culture of any high reliability organization allows employee intervention and systematic controls to prevent fraud opportunities.  It may feel as if these processes are tedious and repetitive, however, at the end of the day, human actions allow fraud to exist.

Since 2016, it’s estimated that over $26 billion in fraud losses has come from wire funds transfers as the result of business email compromise alone.  With the recent COVID-19 pandemic event, fraudsters have a new ability to exploit corporations, especially in highly impacted areas.  It is important for organizations to maintain a culture of process and have contingency plans in place to allow transfers to continue seamlessly.

On the Lowers & Associates LinkedIn, we’ll be highlighting a series of security insights that are applicable to ANY industry (the second bullet below should look familiar).  Specific to wire transfer fraud, here are a few additional actions employers can take to remove risk and eliminate potential for loss:

• Strengthen screening and re-screening employment practices.
• Integrate and document responsibilities of all parties authorized in dual controls into processes involving preparation of wire transfer instructions and authorizing and approving such transfers.
• Ensure there is independent and frequent review of investment transactions by a knowledgeable party.
• Conduct semi-annual audits of the wire transfer function. Ensure auditors review password requirements and controls during each examination.
• Conduct annual penetration tests and annual security audits of web-based wire transfer applications that are hosted by the company or by a third-party application service provider.

BONUS: These are a few additional steps that businesses should think about adopting:

• Email social engineering education.
• Passwords should be at least 14 characters, must be complex (at least 1 of each): 1 Uppercase, 1 Lowercase, 1 Number, 1 Symbol and changed every 90 days.
• Two-factor identification.
• Appropriate insurance coverage for the business.
• Monitor banking accounts regularly.

High Reliability Organizations (HROs) achieve such a status through persistent and detailed efforts to improve outcomes, even seeking “perfect reliability.” But, how do you get there from where you are?

Chassin and Loeb, writing about healthcare, have summarized the requirements into three broad domains: leadership, process, and culture. The approach these authors describe is intended to help hospitals and other healthcare organizations adopt HRO principles and performance, but it applies equally well to other types of organizations. All complex organizations seeking to improve outcome quality and reliability will have to scrutinize the same domains and begin to install changes. … Continue reading

There are a couple trends in our current society that lead many to believe that risks from human capital are on the rise. You might refer to this as the “cultural context of risk.”[i] If indeed human capital risks are on the rise it makes sense that C-suites have a greater obligation to take action to identify, assess, and act to mitigate the risks they face.

One trend is exemplified in the increasing incidence of occupational fraud (see our graphic summary of fraud). The most worrisome aspect of this is that it may reflect a change in our culture toward less personal honesty or restraint – sociologists would refer to this as a decline in “social control” as opposed to the formal control of law enforcement. If this is true, employers face a permanently more difficult challenge in finding employees they can trust to work for the good of the organization.

The second trend may actually be part of a social response to the failure of social control. In place of allowing organizations to control their own behaviors, government has adopted some increasingly stringent regulations ranging from SOX, to the Fair Credit Reporting Act, to the Consumer Finance Protection Bureau. These legal controls create a rigid, maybe brittle, operating environment that exposes organizations to much higher risk for specific kinds of employee-based failures. … Continue reading