People and businesses expect access to their money and payments when and wherever they want, and as a consequence the number of programmers and apps to transfer funds electronically has grown hugely in recent years. New technology offers vendors, clients and partners a convenient and quick way to send and receive payments.
In tandem with this growth however, criminals are more aware of the high potential transaction value of transferring funds electronically and are turning to subversive means, such as impersonating executives, to steal huge amounts of money from corporations.
This relatively new but rapidly increasing type of electronic funds transfer fraud – called ‘CEO fraud’ – has crippled many organizations over the past few years. Individuals create bogus messages seemingly from a senior leader, for example the CEO, which ask employees to wire funds across to them. The messages ultimately trick employees into transfer large amounts of cash electronically.
Fraudulent transactions such as these average around $67,000, although individual incidents targeting fewer people in a company can easily reach seven figure sums. It is easy to see how CEO fraud has the potential to bankrupt a major business, particularly when you consider that one CEO recently lost $55 million to wire fraud. The FBI reports that CEO fraud has cost organizations more than $3 billion over the past three years alone, and they estimate the likelihood that firms could be victimized by CEO fraud has increased by 1,300 per cent since January 2015.
Criminals are committing more and more CEO fraud because of the exponential payoff and high probability of success. To combat these attacks, businesses need to implement advanced and accurate security controls that are capable of analyzing patterns and flagging potential frauds before transactions are completed. These are protocols that C-level executives and other financial leaders within organizations can put in place to reduce the threat, and ultimately prevent CEO fraud.
Creating special, risk-based processes for approving unusual transfer requests
Organizations should implement a system that flags requests larger than a particular amount (e.g. greater than $10,000); leverages analytics to uncover deviations in behavior; and recognizes when the location of the request is unusual; (e.g. outside of the content). These steps can trigger a second review of the transaction request and add an additional layer of security.
Outsourcing the review of transfer requests
Using an external accountant or financial assistant to perform in-depth reviews of wire transfers can assist in preventing unintended fraudulent activity.
Performing scans of email system regularly
Criminals hack into email servers and send counterfeit requests from authentic C-level email addresses which then become virtually untraceable when outgoing messages are deleted by the criminal. Businesses can run routine tests of their servers, as well as update passwords regularly.
Using analytics and predictive techniques for real-time detection
Companies can partner with outside vendors who can help them build predictive models based on either their specific data or consortium data to detect and combat CEO fraud in real-time.
Wire transfers are typically large, fast and difficult to repudiate, and with the introduction of more and more real-time settlement systems globally, the transfers are often final. Strategic planning can help mitigate losses.
Adapted from an article by Andrew Davies for ITpro