Wire Transfer Fraud: A Threat to Businesses Owners
In February 2018, a New York-based victim of a business email compromise (BEC) filed a complaint with the Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center’s Recovery Asset Team (RAT) upon receipt of a comprised email they received from their closing agent during a real estate transaction. This had started a wire transfer of $50,000 to a fraudulent bank account also located in New York. Fortunately, the FBI’s IC3 RAT team was able to work with the bank and the victim to help them recover the funds. However, this story points to a big threat to business owners: wire transfer fraud.
In their 2018 Internet Crime Report, the FBI states that BECs are “scams targeting businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments.” Both businesses and individuals are targeted, and they cite both manufacturing and construction industries as those most frequently targeted. Why? They are typically slower to adopt cybersecurity policies, making them more susceptible to threats.
How does it work? Don’t ever underestimate hackers. They are usually watching a business (and its employees) for some time, learning patterns for wire transfer requests, reviewing outgoing communications, etc. From there, they will target a business or a vendor that works with that business to compromise a business’ email and either initiate or request a fraudulent wire transfer.
What can a business do? Training employees in cybersecurity is an important first step. Don’t just train once, but train frequently, so that information is retained and reinforced. One very important topic is social engineering which, according to Webroot, is “the art of manipulating people so they give up confidential information.” It can come in the form of an email from a friend or another trusted source and the messages contain a link or download, may seem legitimate at first, and they could ask for a variety of things such as urgent help, a charitable donation, or to notify you that you’ve won a fictitious award or prize. The idea is to bait a user into giving away sensitive information. Educate employees on what this looks like, show them how to report suspicious incidents, and make sure this information is reiterated frequently.
Of course, cybersecurity insurance is important and recommended, as it helps a business recover from a security breach or other cyber event.