Financial scams and fraud are rampant in the United States and around the globe. According to the Federal Trade Commission, more than 3,000,000 complaints/reports were filed in 2016. For the first time, “imposter” scams surpassed identity theft in the total number of complaints. These imposter scams are so dangerous and trap so many people because of how innocuous they first appear. Payment fraud is a case in which size actually does matter. Larger companies (based on revenue) with more accounts are more likely to have been subject to fraud over the past year.
Finance professionals frequently encountered business email compromises scams in 2016. Business email compromise scams (BEC) mainly target wire transfers. This can be clearly seen in the data from the 2017 Association for Financial Professionals Payments Fraud and Control Survey. This survey reported that wire transfers were the second most-often targeted payment method, 46% of respondents reported this type of fraud. The 46% who reported encountering this type of payment fraud in 2016 is an increase from the 14% who encountered them in 2013. The increase in wire transfer fraud has been correlated with a sharp increase in the frequency of BEC scams since 2014. BEC scams are carried out by imposters who compromise legitimate business email accounts through social engineering or computer intrusion in order to facilitate the unauthorized transfer of funds. These scams can be hard to pick up on. The email requesting the transfer of funds may seem legitimate but it’s always better to be safe than sorry. With that in mind, here are 7 tips that you can utilize to protect yourself and your organization from payment fraud.
1. Know The Three C’s Of Protecting Against Business Email Compromise
- Compare email addresses. Pay special attention to deceptive characters, incorrect punctuation, and misspellings in email addresses.
- email@example.com vs. firstname.lastname@example.org
- email@example.com vs. firstname.lastname@example.org
- email@example.com vs. firstname.lastname@example.org
- Check the language. Misspelled words, misused grammar, and language that is not typical of the email sender can be red flags.
- “I need this done today but I at doctor’s office. You can reach me through email.”
- Call to confirm. Emailing the client to confirm their request is futile if you are already communicating with a suspect. Get the clients number from a verified source and then call to double check that the transfer request is valid.
2. Use A Dedicated Computer For Banking
- The “banking” computer should be used for no other purpose; no checking email, no Internet browsing, etc.
- Ask IT to restrict the “banking” computer network connections to only those systems that are required for operation.
- Ask IT to “harden” the “banking” computer; this means disabling unnecessary services, restricting privileged access, regular password changes, etc.
- Consider using a non-Windows system for the “banking” computer.
3. Be Wary Of Communications You Don’t Initiate
- Never give sensitive information to a caller who called you; sensitive information should only be given on calls that you made using known phone numbers.
- Never give access (to your computer, to your email, to an application, etc.) to a caller who called you.
- Validate emails that ask for financial transactions or access to something sensitive. Validate by calling (see Tip #2).
4. Employ Dual Control
- Consider dual control on all financial transactions (or transactions that exceed certain dollar amounts).
- Consider dual control on all changes to payment accounts; or where the money goes.
- Consider dual control on all payment account setups.
- Consider where other sensitive (or critical) processes may require dual control.
5. Use Strong Authentication (Multi-Factor Authentication)
- Strong authentication should be used for validation of all critical processes.
- Online banking and financial systems should all be configured to use strong authentication.
- Privileged access to systems and applications should be configured to use strong authentication.
- All online login accounts should be configured for strong authentication.
6. Monitor And Balance Financial Accounts Daily
Daily monitoring will not stop fraud and will not identify all fraud; however, it will help identify signs of fraud. If regular payments are made to certain vendors or customers, use trends in payment history over long periods of time (if feasible).
7. Conduct Employee Background Checks
Background checks should be conducted on all personnel; however, this is especially important for personnel working with financial systems. Background checks should be conducted at the time of hire and periodically thereafter.
Bonus Tip: Report Events And Incidents Immediately
Report any unusual activity to information security personnel immediately. Things that are out of the ordinary may be an indication of something more serious.
If you have fallen for a phishing attack or suspect that you may be a victim of an attack, report the event(s) to information security personnel immediately.
We should always operate with a heightened sense of awareness. Reports events and incidents right away.
I hope that you’ve found these tips helpful. Payment fraud is a constant threat so it’s vitally important that you stay vigilant and on the lookout for scammers looking to masquerade as clients or legitimate businesses. If you have any questions about how you can help protect your organization please contact us or check out what FRSecure can do for you.