Wire Transfer Fraud continues to be a real threat for many organizations who receive invoices from threat actors that look legitimate. Don’t get caught. With some advance planning and key security measures in place, you can protect your organization from falling prey to sophisticated criminal activity.
The first step in protecting your business is to understand that the methods being used by cybercriminals to interrupt and redirect wire payments can be quite covert and sophisticated. Scammers may use targeted email phishing, or other social engineering methods, to steal information and then use that information to manipulate an employee or executive into completing a fraudulent wire transfer. Fraudsters do this by inserting themselves into an online transaction and posing as a trusted vendor, service provider, or other known business contact.
While online scams aren’t new, the COVID-19 pandemic added an additional layer of risk when the internet was used at an unprecedented rate and our reliance on online business transactions increased dramatically. The cybersecurity impact of this has been significant, but there are many ways you can protect your organization from Wire Transfer Fraud.
Consider implementing these steps prior to wiring funds:
1. Include this footnote on your invoices:
“To help prevent cyber fraud, our organization does not include wire transfer information on our invoices or emails. To make a wire payment, please call us directly so we can provide our banking information. Additionally, any request for electronic payments, or modifications/changes to your current payment method should be confirmed by contacting our organization at a known contact number, not the number provided within the email, unless they are the same.”
2. Use professional judgement:
Exercise caution with all requests for electronic payments, especially related to changes in your current payment method(s). Assess whether the request seems legitimate or fraudulent. Does the sender’s name, email and domain name look accurate and authentic? Are the instructions unusual in any way – e.g., a sudden change in bank and/or account information after years of dealings? Was the request rushed or urgent? Does something seem off?
3. Validate the request:
Do not immediately reply to wiring instructions received electronically or by phone. Wait until you have time to review the request and validate the information. Take the time to be thorough and careful.
4. Use the information you have on file:
Use the phone number and information you have for the account, not a new number that has been provided in the updated instructions/request – even if the email appears to be from someone you know. Initiate the call yourself. Only process the payment when all of the information has been checked and you have confirmed the payment and recipient is legitimate.
5. Include secondary authorization within transfer procedures:
Require a second individual in the organization to authorize a transfer with new or updated wiring instructions.
Third Party Liability
Please be aware that if you have a Cyber insurance policy, it often provides third party defense coverage if your business partner suffers a cyber security incident and alleges that your organization is the cause of the breach. If this happens, we recommend that you immediately contact the Cyber Breach Coach on your Cyber policy. The Breach Coach will engage a forensic investigator to review your network and identify any issues that need to be addressed related to the allegation and to identify the entry point of the intrusion. Furthermore, the findings are protected by Attorney-Client privilege when the Breach Coach (Data Privacy Attorney) is engaged. This exposure would not be covered in a typical Crime policy and is subject to a lower sublimit for fraudulent impersonation coverage.
Individual risk can also be an issue in fraudulent wire transactions. If an Executive is deceived into providing personal information and a fraudulent wire transfer takes place using personal data or funds, this incident is not covered by your organization’s insurance policy. Some homeowner policies, however, offer optional coverage for the loss of personal assets. Please consider having your organization’s executives review the availability of this coverage with agents from their personal homeowner’s insurance.
Tips from the FBI
In the U.S., the FBI is the federal agency that investigates cyberattacks and provides information on how to protect yourself from cybercriminals. The FBI has provided these tips for National Cybersecurity Awareness Month:
- Recognize that cybercriminals will use current events (like the catastrophic hurricane in Florida or a global conflict) to appeal to your organization for help. Be suspicious and do not send payments without researching and verifying legitimacy.
- If you’re not expecting a specific document, do not click links or open unknown email attachments. Verify the sender first and be aware of variations in spelling or an email address that looks unusual.
- Travelling? The FBI warns that free charging stations provided in airports and other public places can infect your devices with malware and monitoring software. They recommend finding a power outlet and using your own plug and charger.
Your Graham Company Service Team is here to help you protect your organization from cybercrime and fraudulent wire transfers. We can assist you in determining the best way to manage, finance, and transfer your organization’s cyber risk. If you are interested in discussing further, please reach out to your Graham Company Account Manager.
If you have questions about your cyber posture, we encourage you to talk with us about GRAHAM CYBER BLUEPRINTSM. With Graham Cyber Blueprint, you can improve your cyber strategy and insurability as a result of completing a quick questionnaire that will help you identify areas for improvement and general recommendations for next steps to strengthen your organization's cybersecurity defenses. Fill out our Graham Cyber Blueprint questionnaire HERE.