Electronic Fund Transfer (EFT) fraud is not new – nor with the increasing reliance on paperless financial activity, is it going away any time soon.
Clients have alerted us of recent inquiries by most likely global cyber thieves attempting to prey on them with the intention of fooling them into wiring funds.
The recent cases we have seen involve an email (which would appear to have been) sent from a corporate executive requesting the controller to urgently wire funds. In reality, the corporate officer’s email was fictitious. The company president’s email address was easily secured, copied, and then masked over the true email address. Then, it was sent to the legitimate controller. Upon receipt, the email content and email address to the human eye appears legitimate.
But is it? Think for a minute—take a step back. Is it written like an email that the sender usually writes? Is it signed as the sender would normally sign an email? Have they ever made a similar urgent request of you? Have you ever wired funds before?
Upon receipt, the controller or accountant is then faced with the decision to wire or not to wire? What are your company’s wire transfer (out) policies? Some companies don’t have any. Now is the perfect time to discuss and implement EFT controls and protocols, as one fictitious transaction can wipe out a company’s bank account. An EFT risk assessment is just a part of a complete forensic assessment. Here are a few simple points to keep in mind.
Common sense would dictate that a wire transfer cannot be made until the controller has had the chance to orally communicate with the person requesting the wire transfer. But remember, the request is “urgent”.
Fraud tip #1: Don’t fall into the urgency trap.
Time is your friend. But what if the controller attempts to call the requesting party and the call goes into voicemail? After all – and remember – the request is urgent. There may be a feeling that I have to act in a timely manner. There are times when we may be inclined to then communicate via email in order to confirm the EFT request. But what if the email address has been “hijacked” by a criminal? What if you reply to the initial response for an additional confirmation and maybe a little more detail? It is okay to wait.
Fraud Tip #2: Get details about the proposed transaction BEFORE honoring the wire request.
What can be so urgent that it can’t wait for a face-to -face discussion or telephone call for more information?
Email communication is NOT the answer for two quick reasons. First, the email address of the requester may have been hijacked, and you, in turn, may end up communicating with the criminal that is attempting to coerce you in to facilitating the EFT. Secondly, if you choose to hit “reply”, LOOK at the email address in the header. It likely may have changed to now reflect the true email address—and not someone in your company. You have now uncovered the scheme yourself.
Standard corporate policy should dictate that EFTs cannot be initiated unless there is an oral confirmation that the controller initiates to a known number of the requesting party (i.e., no hotels or third-party numbers).
Fraud Tip #3: Voice confirmation and approval is required.
In addition, most companies should have established EFT dollar limits and a dual approval system. We strongly recommend that a separate bank account be used for outgoing wire transfer transactions. Have you worked with your bank to establish proper EFT policies and procedures?
Fraud Tip #4: Meet with your bank on EFT security.
Review your corporate insurance policy to see if fraudulent EFT transactions are covered, and if so, what the corresponding limitations are.
Fraud Tip #5 – Check your corporate insurance policy.
Cyber thieves are sharp, convincing and very creative. Should you unfortunately realize that you have fallen victim to an EFT scam, you must act quickly. At this point, time is not your friend. Waiting to address this tomorrow is unacceptable. You may have mere hours in order to stop the transaction—and maybe even save your job. You must call the bank that is wiring the money immediately, alert bank officials about the fraud and order them to stop the wire transfer.