Texas-based firm Orion recently fell victim to a significant wire transfer fraud scam, which ended up costing the business $60 million at the end of the day. While many may think such scams are rare, the FBI reports that bank wire transfer fraud is a multi-billion-dollar problem that last year alone saw 84% of businesses hit with fraud attempts. It’s time for companies to take necessary action to weed out scammers before they join the list of wire transfer fraud victims.
Some recent examples of those who have been successfully scammed include the following:
- Toyota lost $37 million to a business email compromise (BEC) involving invoice fraud.
- Tech company Ubiquiti was scammed out of $46 million through CEO impersonation.
- Scouler Co. was hit with a $17.2 million acquisition scam via CEO impersonation.
- Facebook and Google were scammed for over $100 million.
Preventing bank wire transfer fraud begins with an understanding of what it is. Bank wire transfer fraud occurs when a scammer convinces a business to send funds to a fraudulent account. At face value, it might seem like identifying a scammer would be far easier than defending against other threats, such as ransomware attacks. That view is misguided. These criminals employ sophisticated tactics and exhibit behavior that’s extremely that flies below the radar of current systems.
Here is how a typical wire transfer fraud plays out:
- A vendor’s mailbox is compromised, allowing an attacker to gain access to critical information that they can use to open additional accounts in the vendor’s name. On the surface, the accounts look legitimate, which is why they don’t raise a red flag with a business’s bank account validation solution. Scenarios like this shine a spotlight on why traditional validation processes are flawed.
- At this point, the attacker begins communicating with the business, generally via an existing email chain. These communications are not nefarious—quite the opposite. At this point, the scammer wants to establish credibility, not raise suspicion. This step can go on for an extended period.
- Once a sufficient level of trust has been established, the scammer requests a payment change, sends fraudulent invoices, and begins diverting funds to a new account. Some of these requests will communicate a sense of urgency, pressuring the victim to “think less” in favor of moving quickly.
Traditional email security tools like Secure Email Gateways (SEGs) and behavioral AI solutions, which most organizations rely on today, fall short in effectively detecting and preventing business wire transfer fraud, even when the attack comes from email. SEGs, for instance, focus on spotting threats with obvious signs of maliciousness, like phishing links. However, when fraudsters employ advanced social engineering tactics by crafting emails that appear genuine or even hijacking an employee’s email to interact normally, SEGs fail to raise any alarms. Similarly, behavioral AI tools struggle against these scams because fraudsters know how to dupe the models by exercising patience and being adept at blending in overtime, mimicking normal activity until they’re ready to strike. This allows them to slip past these defenses undetected.
How to Combat Bank Wire Transfer Fraud
So, what options do companies have if SEG filters and behavioral AI can’t stop bank wire transfer fraud? Businesses need a holistic solution beyond email security and covering the entire payment process, including detecting unusual account changes and duplicate invoices in systems like ERPs.
Email-focused tools tend to overlook ERP systems, which have a much broader scope that includes an array of business processes and data types that go far beyond email. ERP systems are also very complex and email-focused tools tend to struggle to effectively monitor and secure all aspects of an ERP system.
Stopping Fraud with AI
When it comes to stopping these scams, a team’s best weapon is AI. Today’s modern AI-based analysis systems excel where these other solutions fall short. That’s because they can monitor and assess every aspect of operations, scrutinize emails for changes in tone and writing style, identify suspicious links, and even delve into other people included in the thread. From there, the systems can generate real-time risk and trust scores, flag discrepancies or anomalies, send alerts for potentially fraudulent activities, and integrate smoothly into existing workflows for easy adoption.
These systems also provide a view of the third-party vendors that comprise your supply chain. This includes complete visibility into their management, the ability to track activities, control their permissions and system access, and enforce all key security protocols. This supply chain view is vital because these businesses that are so important to your day-to-day business are attractive targets for scammers because they often lack the same levels of security as larger enterprises, making them easy to exploit.
The high-profile cases of Toyota, Ubiquiti, and others should have most companies taking notice, as should the fact that more victims will join their ranks soon. Avoiding this dubious honor means reevaluating current strategies regarding bank wire transfer fraud. Most notably, stop counting on SEGs and behavioral AI solutions to weed the scammers in favor of a new breed of AI-powered systems that span the entire payment process to stop the scammers dead in their tracks.
Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group “Information Security Community”!