In a continually evolving global financial landscape, where banking networks are shrinking, volumes of digital payments are increasing and payments are being processed in seconds, fraudsters are creatively finding new ways to steal from organizations.
Cyber related fraud risk is emerging as one of the primary threats to today’s organizations. In response, organizations need to be agile to respond to cyber threats and embrace new approaches and technologies to detect, predict and prevent wire transfer fraud.
Understanding Wire Transfer Fraud
Wire transfer fraud refers to a scenario in which a fraudster defrauds or obtains money based on false representations. In today’s technical world, fraudsters are attempting to infiltrate organizations through electronic communications such as email, text messaging or social media messaging, among others. Based on recent investigative experience, KPMG has seen an increase in the use of phishing attacks as a mechanism through which fraudsters are able to gain access to corporate financial information.
A phishing attack refers to a scenario in which an individual sends an email pretending to be someone they are not in order to obtain information from the target of their attack. Phishing commonly involves the recipient clicking on a link contained within the email and entering their password, after which the fraudster is able to gain sufficient information to obtain access to the victim’s account or mailbox. From there, the fraudster is able to extract financial information that they can use in an attempt to complete fraudulent wire transfers or alternatively to impersonate the individual and complete fraudulent wire transfers through impersonation.
The goal of a phishing attack focused on obtaining financial information is usually one of the following:
As an example, consider a situation in which an employee receives an email from a vendor regarding payment of a recent invoice. The tone of the email is welcoming, congratulates the employee on their recent promotion and mentions that the vendor’s financial year end is approaching and that expedited payment associated with the outstanding invoice would be appreciated. The employee remembers that the vendor recently completed work for the organization, recognizes the account executives name and submits the invoice for payment. However, the employee was unaware that the email they responded to was actually from firstname.lastname@example.org instead of email@example.com – the account executives actual email account.
However, actions are not just external. Consideration should be given to the potential harm of insider fraud that can be as great, if not greater, than external fraud, given the ability of employees to exploit weaknesses in an organizations controls to target the organizations financial assets.
As data volumes increase and security mechanisms become more complex, Fraudsters are turning to Artificial Intelligence (AI) to compromise data and its security. As an example, Fraudsters are leveraging AI to automate cyberattacks, to increase the efficiency and effectiveness of exploiting vulnerabilities and to develop malicious code that can evolve and change to disguise its existence. To combat AI adoption by Fraudsters, organizations are turning to AI to detect, predict and prevent security incidents. The role that AI has to play in relation to cyber security will continue to evolve on both sides of the fence.
How Do Financial Institutions Fit into the Puzzle?
From the perspective of a financial institution, the difficulty in detecting wire transfer fraud is that, in most cases, it appears that a customer is legitimately accessing their own account or providing legitimate instructions regarding fund transfers. Financial institutions are continually evaluating their controls and several institutions now have dedicated teams that operate to address these risks.
Measures to Detect, Predict and Prevent Wire Transfer Fraud
There is a growing need for organizations to ensure a balance between operational efficiency and the protection of one of its most valuable assets, its financial assets. Ineffective controls and systems within an organization can lead to the mismanagement of fraudulent incidents which in turn negatively impacts an organization’s ability to make appropriate resource allocation and investment decisions.
Effective wire transfer fraud controls leverage both technology solutions and human expertise. One of the primary technical protection mechanisms is the implementation of access or control rights to information. Access or control rights are mechanisms that govern access (and revocation) rights to information, usage limitations and security. Similarly, access rights can be used by organizations to create a standardized or customized set of management protocols that define the manner in which information is shared with third parties. In this respect, access controls provide organizations with the ability to securely and confidentially link their financial information with key personnel.
With respect to human expertise, organizations should implement one or more of the following mechanisms in an attempt to combat wire transfer fraud: