Wire Fraud Begins and Ends with People

By Brad Moody,

Wire Fraud Begins and Ends With People. #OurWork Lowers & Associates #Together

It’s hard to imagine that, on any given day, over $3 trillion dollars moves via electronic transfer.  Financial institutions make these B2B transactions happen seamlessly on a global scale, and we often take for granted the very simple instructions required (and accepted) between businesses that make single transactions of millions of dollars possible.  Since organizations perform these transactions almost exclusively online, the Internet of things has an inherit opportunity for malicious redirection when company employees become complacent with routine wire instructions.

Responsible organizations follow robust, documented and accepted practices in an environment that embraces process.  The culture of any high reliability organization allows employee intervention and systematic controls to prevent fraud opportunities.  It may feel as if these processes are tedious and repetitive, however, at the end of the day, human actions allow fraud to exist.

Since 2016, it’s estimated that over $26 billion in fraud losses has come from wire funds transfers as the result of business email compromise alone.  With the recent COVID-19 pandemic event, fraudsters have a new ability to exploit corporations, especially in highly impacted areas.  It is important for organizations to maintain a culture of process and have contingency plans in place to allow transfers to continue seamlessly.

On the Lowers & Associates LinkedIn, we’ll be highlighting a series of security insights that are applicable to ANY industry (the second bullet below should look familiar).  Specific to wire transfer fraud, here are a few additional actions employers can take to remove risk and eliminate potential for loss:

  • Strengthen screening and re-screening employment practices.
  • Integrate and document responsibilities of all parties authorized in dual controls into processes involving preparation of wire transfer instructions and authorizing and approving such transfers.
  • Ensure there is independent and frequent review of investment transactions by a knowledgeable party.
  • Conduct semi-annual audits of the wire transfer function. Ensure auditors review password requirements and controls during each examination.
  • Conduct annual penetration tests and annual security audits of web-based wire transfer applications that are hosted by the company or by a third-party application service provider.

BONUS: These are a few additional steps that businesses should think about adopting:

  • Email social engineering education.
  • Passwords should be at least 14 characters, must be complex (at least 1 of each): 1 Uppercase, 1 Lowercase, 1 Number, 1 Symbol and changed every 90 days.
  • Two-factor identification.
  • Appropriate insurance coverage for the business.
  • Monitor banking accounts regularly.

5 Stories that Highlight the Dangers of Complacency

By Lowers & Associates,

5 Stories that Highlight the Dangers of Complacency

Ah, complacency. That quiet sense of security or satisfaction with the status quo that prevents a person from acknowledging the potential dangers or risks around them.

We become complacent about internal controls, believing our employees have always been trustworthy and therefore we can eliminate extra steps in the process. We slack off in our security training, thinking “surely our team knows not to click on an unfamiliar link.” Or, we fail to conduct a background check because the applicant is the nephew of one of our fellow executives.

In our recent blog, 4 Culprits of Complacency, we highlighted some of the underlying factors that lead to complacency. In this blog, we bring forth five stories that expose the negative fallout and damage that can occur when organizational complacency takes root.

1. The Law Firm with Weak Accounting Controls

A law firm specializing in intellectual property let complacency derail its internal controls. The firm has five offices throughout the United States, and the satellite offices normally forward their customer payments to the corporate office for processing. Recently, however, customers from at least one of the five locations notified the firm that their previously cashed payments were being duplicated, forged, and re-cashed, leading the customer to have fraudulent withdrawals taken from their bank accounts. Fraudsters left some of the personalized information on the check, such as handwritten notes in the memo line, but had replaced the recipient name, date, and check number with false information and deposited it remotely through an ATM. Rather than keeping customer payments in a secure, locked location, the firm’s complacency in its failure to follow its own internal controls led to this embarrassing and costly mistake.

2. The National Political Committee Duped by Social Engineering

It was the hack heard round the world, all perpetrated by a simple case of spear phishing made possible by complacency. Hackers sent an email to members of the committee that looked like it had been sent by Google and requested them to click a link to reset their passwords due to malicious activity on their accounts. Several members took the bait, and with the new credentials in hand, hackers subsequently breached (and later published) more than 150,000 emails stolen from the Gmail accounts of committee members.

3. The Nursing Home That Failed to Check Employee Backgrounds

A Texas nursing home employee was caught on video physically assaulting an 83-year-old resident, who had advanced Alzheimer’s disease and could barely move, talk, or understand what was going on around her. The family sued the nursing home for $1 million for its negligent hiring of a 23-year-old employee who had previous arrests for fraud, marijuana possession, and criminal mischief on his record. Had the facility not succumbed to complacency, it would have required all workers to undergo a background check before being hired.

4. The Business Merger That Skipped Due Diligence

Two regional telco companies that had been in competition with one another decided to take the plunge and merge, with Company A doing the actual acquiring and Company B being the one acquired. The executives of both teams had been collegial over the years and knew each other’s respective businesses fairly well, so Company A opted to forgo a formal due diligence process. It was only four months into the new merger that Company A realized Company B had inflated the size of its client base and the average revenue per subscriber (ARPS) for each of those clients. Yes, Company B had 800 clients in their account records, but a full 200 of those clients had discontinued service at some point in the preceding timeframe, leaving only 600 active clients. The true value of revenue, then, wasn’t ARPS x 800 clients, it was ARPS x 600 clients, a reduction of about $600,000 in revenue a year than had been presented in the pre-merger discovery process. Once again, complacency reared its ugly head.

5. The Medical Diagnostic Company Lacking Sound Loss Prevention Strategies

We like to think that all of our employees are honest, but even with good internal controls in place, people find ways to cheat their employers. In this case, a manager set up a series of fake companies, invoices and expense reports to reimburse himself for more than $1.2 million in false expenses. His deception was ultimately uncovered through mismatched addresses used on his falsified documents. While loss prevention tactics can’t necessarily filter out every deceitful action, it’s far better to be proactive than remain complacent, as this company did.

Is complacency a risk factor in your organization?

Lowers and Associates works with a wide range of industries, including financial institutions, healthcare providers, casinos, couriers, and insurance companies, to protect their people, brands, and profits. We offer a full range of services, from cash-in-transit evaluations to venue security to IT risk assessments.

If you’re concerned your business is at risk of being complacent, let’s talk. We’d love to help.

  Category: Risk Management
  Comments: Comments Off on 5 Stories that Highlight the Dangers of Complacency

5 Ways to Combat Social Engineering Attacks in Your Organization [Infographic]

By Lowers & Associates,

Wikipedia defines social engineering, in the context of information security, as the “psychological manipulation of people into performing actions or divulging confidential information.” Our increasing reliance on vast networks of digital technology for information storage, research, controls, and transactions makes organizations highly vulnerable to social engineering fraud.

There is a strong urge to combat this risk with a technological fix like stronger encryption or better management controls. The problem is not a technical one because social engineering fraud is based on the exploitation of human interactions and human frailties.

… Continue reading

[Infographic] Social Engineering Fraud: Exploiting the Instinct to Trust

By Lowers & Associates,

One of the more pervasive human risks in modern organizations is fraud through “social engineering.” Social engineering fraudsters gain access to your most valuable assets by using deceitful tactics to turn trusted employees or partners into unwitting and unwilling accomplices. This occurs at a typical loss rate of $25k to $100k per incident. This stealthy crime can be very hard to detect because the accomplice is unaware of being complicit, giving the perpetrator time to escape.

… Continue reading

Social Engineering: How Strong is Your “Human Firewall”?

By Lowers & Associates,

There was a time, not long ago, when the term social engineering meant the manipulation of behavior and various outcomes through public policy. It referred to political issues.

The digital revolution has led to a new meaning for the term, and it’s one you should know about: “social engineering” is a threat to data system security based on “the art of influencing people to disclose information and to get them to act inappropriately.”

In other words, it’s a con job to get people to reveal things about their passwords and related digital assets to help thieves gain access to a system or database.

The important point about social engineering is that it is another human risk factor that you need to address in your risk management plan. Your efforts to harden the computer systems in your organization against technical intrusion will be pointless if the people who have access to them are vulnerable to social engineering attacks. … Continue reading