United States Cybersecurity Magazine

ProcessBolt
Wire Fraud

Addressing the Rapidly Growing Threat of Wire Fraud

Most cyber-attacks are intended to steal sensitive and personal information, which can later be used to breach accounts, hijack a victim’s identity, or steal money. However, some cybercriminals opt for a more direct form of theft, they send fraudulent requests that ask victims to complete a wire transaction and send money straight to them. This is known as wire fraud.  Wire fraud is one of the most common and costliest cyber-attacks that companies must guard against. 

As is often the case with cybersecurity, wire fraud can be prevented if companies focus on teaching employees how to identify the warning signs and take action. Employees should be trained to confirm the identity of any recipient of funds, look for suspicious elements of wire transfer requests, and trust their instincts when something feels off. The risk of a slight delay is insignificant compared to the risk of accidentally sending money straight to a cybercriminal. 

Take a moment to consider the amount of money that is exchanged every day via wire transfers. The digitization of financial services and transactions is only going to continue surging in the coming years, so it has never been more important for employees to know how to prevent cybercriminals from interdicting these transactions and stealing vast sums of money. 

Wire Fraud is One of the Biggest Cyber-threats Companies Face

There are several reasons why wire fraud is the attack of choice for many cybercriminals. In most cases, it doesn’t require much technical knowledge,it sends funds straight into a fraudulent account, transactions are difficult to recall once they’re initiated, and the number of successful attacks demonstrates that victims are still falling for it constantly. According to a report by the FBI, Business Email Compromise (BEC), which is one of the main attack vectors for cybercriminals committing wire fraud, led to more than $26 billion in losses between June 2016 and July 2019. 

A survey conducted by the Association for Financial Professionals (AFP) found that the proportion of organizations which say they have “experienced attempted and/or actual payments fraud” increased steadily from 2013 to 2018, from 60 percent to 82 percent. When broken down by payment method, wire transfers saw by far the largest spike in fraudulent activity over the same period. This trend shows no sign of slowing down, and it has been exacerbated by the COVID-19 pandemic

A recent PwC survey found that almost one-quarter of executives say their “area of greatest vulnerability in a serious crisis” is communications with external stakeholders. With so many employees continuing to work from home and the anticipated prevalence of remote work even after COVID-19 is under control, companies need to adjust their network security protocols to keep pace with these changes. This process should begin with a concerted effort to educate employees about the dangers of wire fraud and how to mitigate them. 

How Cybercriminals Commit Wire Fraud

Cybercriminals have multiple strategies for manipulating employees into sending wire transfers. Although they sometimes hack into a victim’s email account (usually someone in a position of authority who’s authorized to handle a company’s finances) and use it to send fraudulent messages requesting wire transfers, it is more likely that a scammer will impersonate a vendor or another entity the company does business with. This is one of the reasons respondents to the PwC survey are so concerned about communications with external stakeholders. 

While there are many social engineering tactics cybercriminals use to execute wire fraud attacks, the basic formula is generally the same: convince an employee to transfer funds, then disappear as quickly as possible to eliminate any chance of being traced. Cybercriminals use an array of coercive strategies when they contact victims, for example, they’ll insist that the money needs to be transferred immediately to avoid incurring some kind of penalty. Furthermore, they will come up with a reason why the original account number can’t be used. In cases where they cannot infiltrate a legitimate email account from which to send phony instructions, they will create fake accounts designed to resemble their legitimate counterparts. 

These are tactics that successfully defraud tens of thousands of people in the U.S. alone every year, however, by observing a few essential cybersecurity guidelines, employees can make sure they are not among these victims. 

conclusion

The most important resource a company has when it comes to thwarting wire fraud is the awareness of its employees. Although cybercriminals often do everything in their power to conceal their identities, there are many red flags employees should always be looking out for, especially when financial transactions are involved. 

For example, cybercriminals often present the illusion of urgency to convince employees to wire funds without providing enough time for due diligence on the recipient. Employees should be on their guard against any irregularities in a wire transfer request if the recipient, account number, or amount has changed, if the nature and tone of the request doesn’t seem consistent with previous requests, or if the request contains broken English, misspellings, slightly altered email addresses, or international domain extensions (especially if it’s a domestic transaction). When a recipient attempts to confirm a wire transfer with an email voice message, or worse, doesn’t offer voice confirmation at all, employees should raise the alarm. 

Above all, employees should learn to trust their instincts. If something seems off, bring it up with a manager and take a closer look at the request. Trying to work quickly to save time on wire transfers is not worth the risk of becoming the victim of wire fraud. Take your time and evaluate the requests coming in.


Matt Lindley

SUBSCRIBE HERE
Create a strong password with a minimum of 7 characters using one uppercase, one lowercase, and one number.
Show privacy policy