Is Email the Achilles Heel in Your Wire Fraud Prevention Plan?

In Greek mythology, Achilles was the greatest of all Greek warriors. But despite his overall strength, one small, unprotected area on his heel led to his ultimate downfall. As warriors against fraud, credit unions vigilantly establish safeguards to protect their institutions, but one small vulnerability – email – can be the Achilles heel that cripples financially and reputationally.

I recently attended a webinar conducted by JPMorgan Chase on Business Email Compromise (BEC). BEC occurs when criminals use email to trick victims into sending them money by impersonating the victim’s executives or business partners. While these schemes are not new, the pace of growth and value of BEC fraud attempts against customers of financial institutions is accelerating at an alarming rate.   

BEC losses in 2020 alone totaled $1.86 billion, according to the FBI’s 2020 Internet Crime Report, and the number of losses reported to IC3.gov between 2016 and 2020 increased a staggering 417 percent.

Why do criminals continue to have success with this type of fraud?

The answer is twofold:

1. As financial institutions have become more sophisticated at detecting malware and anomalous transactions, criminals have taken financial institutions out of the equation and are targeting your members as the path of least resistance.
2. People like to quickly review emails and move on. As a result, they may not see that an email address has been modified slightly by a fraudster to look like a trusted address. Even worse, a legitimate email address cannot be trusted. Criminals can take over an email account, put forwarding rules on the inbox to watch for an email containing words such as “wire, invoice, payment, statement, etc.,” copy the email and use it to send altered instructions to process a fraudulent transaction.
   

The “classic” email fraud scenario would involve a criminal conducting LinkedIn research to find out who moves payments in an organization. The criminal would then craft an email to that person impersonating one of the company’s executives saying that he or she is hopping on a plane, can’t talk by phone, is working on a confidential project, and please wire funds to a specific account right away.

Another common scenario would be a fraudster impersonating a vendor via email and tricking the victim into sending payment for a pending invoice to the fraudster.

The best advice is to never trust email (or phone or online portal) requests for change of payment instructions or contact information. Similar attacks via text message (i.e., from Amazon or your electric service provider), known as “smishing” – are also a vulnerability.

How can you protect against these potentially devastating losses?

The two biggest drivers of BEC losses, according to JPMorgan Chase, are: 1) failure to properly validate the source of payment instructions with the requestor, and 2) releasing “suspicious” payments that were previously identified and held by institutional controls.

Ultimately, the primary control is performing a proper callback to the person making the request, using the phone number on the system of record. It’s important to hold the payment until the phone call is made and you get to the source.

Build questions into your policies to follow the breadcrumbs back, such as: Who did you get your payment instructions from and how did you get them? Was it from an email? What kind of due diligence did you do? Did you perform a callback? Crime show detective Columbo used to push for the answer to his most critical question by leading with, “Just one more thing…”

What should you do if fraud occurs?

Prevention is always the preferred method of combatting fraud, and you don’t want the liability of passing a payment through based on an email. If fraud does occur, however, there is often a resistance to involve others. But to maximize the chance of recovering funds, it’s important that you take these steps immediately:

• Contact your upstream provider immediately to report fraud.
• Report fraud to the FBI’s Internet Crime Complaint Center at IC3.gov.
• Contact your local FBI office.
• Contact other law enforcement agencies as appropriate.
  

The sooner you act, the greater your chance of recovering funds. Every minute counts and, in some cases, law enforcement will assist with the recovery of funds.

The flaming arrows of Business Email Compromise  are likely to come. Ensuring your staff is trained to recognize them and respond appropriately will go a long way in covering vulnerability. 

As Catalyst Corporate’s Vice President of Correspondent Services, Justin Lutes oversees the member services team, along with wire transfer, ACH, card services (ATM/debit) and vault cash operations. He is also certified as an Accredited ACH Professional and a National Check Professional.