When a criminal inserts themselves into a transaction involving the transfer of large sums of money, it’s called fraud. When they do so by first gaining your trust, this is called social engineering. Funds transfer fraud through social engineering is a big problem for businesses, with results that could be devastating for your company if you become the victim of an attack.
To protect yourself, it’s important to understand the phishing and spear phishing tactics employed by today’s digital fraudsters and to follow best practices when transferring funds. Remember, never send a wire transfer based on just an email.
How Is Funds Transfer Fraud Done Through Social Engineering?
Funds transfer fraud can happen any time a large sum of money changes hands between a business and a client, vendor, partner or other individual or outside organization. Criminals tend to target important transactions that offer big paydays, such as:
- Mergers and acquisitions
- Real estate transactions
- Legal judgements and settlements
- Employee benefits and compensation deals
- Other movements of large sums of capital
Transactions like these are just a normal part of doing business, but caution is needed. You may be feeling excited or even anxious to complete a business deal, settle a payment or begin a new project. Additionally, you or your employees may feel pressure to facilitate a smooth and timely transaction.
Criminals know this and have tricks to exploit the people handling these important transfers, including:
- Phishing—A common online hazard for businesses of all types, where criminals send the same fraudulent mass email to multiple targets, trying to trick recipients into giving up confidential business info or altering their funds transfer procedures.
- Spear phishing—A more targeted approach, where specific managers or executives receive a fraudulent email that includes enough real information that the target may be tricked into complying with a transfer request change.
Whether you receive an email to provide detailed information about an upcoming payment or to accommodate a payment change request, the incentive to comply is high. The email may appear to be from a boss, VIP, client, lawyer or other person in authority. But with any such request, it’s important to stick to a process to verify and confirm everything before any payment is made and any information is exchanged.
How to Prevent Funds Transfer Fraud Through Social Engineering
Preventing funds transfer fraud and avoiding social engineering tricks requires training, alertness and compliance with the established best practice security procedures.
- Require dual approval of transactions, with any transfer being approved by both parties. Verify the transaction by calling the phone number already on file. Never confirm by email alone. Instructions for transferring funds should ideally be provided in hard copy format.
- Use a dedicated computer for transfers, making sure the system is secure and free of malware and breaches. Phishing emails can contain viruses that compromise a computer, so it’s best to use one without access to email that only connects to secure sites.
- Enable email encryption to protect communications, with a secure email system that encrypts both incoming and outgoing mail. Unsecured email is at high risk of being read by email provider hackers searching messages for payment-related keywords.
- Ensure separation of financial duties by limiting the overlap of duties related to financial transactions so that each employee has a clearly defined role in the process and cannot act alone without approval and coordination with other employees.
- Review account statuses frequently, looking for anything out of the ordinary that might indicate fraud. The sooner the bank can be alerted, the better the chance of recovery. Fraudsters often try to stall for time while moving your funds out of the country.
- Train all staff thoroughly on computer safety and funds transfer best practices. Emailed transfer change requests should always be treated as fraud attempts, no matter who the sender appears to be. If communications are disrupted, they should be restored before proceeding. Training and an agreed-upon protocol are truly key to preventing this fraud.
What Should You Do in the Event of a Funds Transfer Fraud?
If you suspect fraud, immediately contact the bank and local law enforcement. Time is of the essence in any fraud recovery action. By contacting the FBI, the Financial Fraud Kill Chain (FFKC) can be used to recover large international funds transfers in limited cases. It is best to work with the bank immediately upon discovering the fraud and not to wait to determine if the funds have gone overseas.
For FFKC recovery action to proceed, a transaction must meet certain criteria:
- The wire transfer is $50,000 or more
- The wire transfer is international
- A SWIFT recall notice has been initiated
- The wire transfer has occurred within the last 72 hours
The epidemic of funds transfer fraud through social engineering shows no sign of abating, with fraudsters continuing to develop new ways to intercept and misdirect payments. The only effective way to defeat online criminals is by being proactive. You may also consider implementing a cyber attack response plan.
How Can You Better Protect Yourself from Cyber Fraud?
Make sure you and your employees understand the risks of funds transfer fraud and the social engineering tricks used to perpetuate them. Develop a robust system of protocols to verify and double-check all transactions by phone and employ hard copy instructions where possible. Train your team on the procedures and ensure they are followed diligently.
Even with the best funds transfer safety protocols, it may be impossible to prevent all online criminal attacks. That’s where insurance comes in. CyberLock Defense Liability Insurance can help protect your business against the increasing costs of cyber attacks