Wire Fraud Begins and Ends with People
It’s hard to imagine that, on any given day, over $3 trillion dollars moves via electronic transfer. Financial institutions make these B2B transactions happen seamlessly on a global scale, and we often take for granted the very simple instructions required (and accepted) between businesses that make single transactions of millions of dollars possible. Since organizations perform these transactions almost exclusively online, the Internet of things has an inherit opportunity for malicious redirection when company employees become complacent with routine wire instructions.
Responsible organizations follow robust, documented and accepted practices in an environment that embraces process. The culture of any high reliability organization allows employee intervention and systematic controls to prevent fraud opportunities. It may feel as if these processes are tedious and repetitive, however, at the end of the day, human actions allow fraud to exist.
Since 2016, it’s estimated that over $26 billion in fraud losses has come from wire funds transfers as the result of business email compromise alone. With the recent COVID-19 pandemic event, fraudsters have a new ability to exploit corporations, especially in highly impacted areas. It is important for organizations to maintain a culture of process and have contingency plans in place to allow transfers to continue seamlessly.
On the Lowers & Associates LinkedIn, we’ll be highlighting a series of security insights that are applicable to ANY industry (the second bullet below should look familiar). Specific to wire transfer fraud, here are a few additional actions employers can take to remove risk and eliminate potential for loss:
- Strengthen screening and re-screening employment practices.
- Integrate and document responsibilities of all parties authorized in dual controls into processes involving preparation of wire transfer instructions and authorizing and approving such transfers.
- Ensure there is independent and frequent review of investment transactions by a knowledgeable party.
- Conduct semi-annual audits of the wire transfer function. Ensure auditors review password requirements and controls during each examination.
- Conduct annual penetration tests and annual security audits of web-based wire transfer applications that are hosted by the company or by a third-party application service provider.
BONUS: These are a few additional steps that businesses should think about adopting:
- Email social engineering education.
- Passwords should be at least 14 characters, must be complex (at least 1 of each): 1 Uppercase, 1 Lowercase, 1 Number, 1 Symbol and changed every 90 days.
- Two-factor identification.
- Appropriate insurance coverage for the business.
- Monitor banking accounts regularly.