How Can You Prevent Wire Transfer Fraud?
In its most recent quarterly filing with the Securities and Exchange Commission (SEC), Ubiquity, Inc, a Silicon Valley networking equipment company, revealed that they had been the victim of a $46.7 million cyberheist.
The swindle is an increasingly common one, known variously as CEO fraud, business email compromise (BEC) or man in the email (MITE) attacks, and it targets companies that make a lot of wire transfers, especially to overseas business partners.
How to Prevent Wire Transfer Fraud
The fraud begins with either the takeover (by phishing) of the email account of a senior executive such as the CEO, or the creation of an account at a “typo domain”, a domain that looks a lot like the legitimate one, for example email@example.com rather than firstname.lastname@example.org. An email is then sent to a person in the organization who initiates wire transfers by the “CEO” to send money to an overseas supplier, with new banking details included.
Even if the visible From: header is spoofed (easy to do) some mail clients will note the difference between the SMTP envelope (email@example.com) and the From: header (firstname.lastname@example.org). Also, the Reply-to will always be set to the spoofed domain, so that the fraudster gets all of the replies. Krebs has good detailed technical descriptions of how these scams work.
Fraud such as this has become a more than $200 million dollar business according to the FBI. Unlike fraud against consumer accounts, the banks have no legal requirement to make the victims whole, unless the fraud can be shown to be their fault. The best will do is attempt to reverse the transaction. Ubiquity got about $8 million back. So it’s your money — you need to own protecting it. There is a great publication by the Financial Services Information Sharing and Analysis Center (FS-ISAC) on preventing wire transfer fraud BEC. They suggest:
The key to reducing the risk from BEC is to understand the criminals’ techniques and deploy effective payment risk mitigation processes.There are various methods to reduce the risk of falling victim to this scam and subsequently executing a fraudulent wire transfer. Some of these methods include:
- Verifying a change in payment instructions to a vendor or supplier by calling to verbally confirm the request (the phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor);
- Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions;
- Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers;
- Use out of band authentication to verify wire transfer requests that are seemingly coming from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call in order to confirm the wire transfer request;
- When the staff at a victim business is contacted by the bank to verify the wire transfer, the staff should delay the transaction until additional verifications can be performed; and
- Require dual-approval for any wire transfer request involving:
- A dollar amount over a specific threshold; and/or
- Trading partners who have not been previously added to a “white list” of approved trading partners to receive wire payments; and/or
- Any new trading partners; and/or
- New bank and/or account numbers for current trading partners; and/or
- Wire transfers to countries outside of the normal trading patterns
I would add three more suggestions:
- If you can possibly get email out of the wire transfer process, do so.
- If you cannot, be vigilant for spoofed domains, or consider commercial anti-fraud systems.
- To avoid other kinds of attacks, do all banking, including wire transfers, from a dedicated PC that serves no other function. No email. No non-banking web. You can accomplish this also with a bootable thumb drive that you use only for this purpose.
This is a definite trade-off of convenience for security, but it’s worth it. You own the failures.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.