Funds transfer fraud might not be the most common online crime, but it is one of the most financially damaging because it usually involves significant amounts of funds. It is also known as wire transfer fraud since it involves online funds transferring.
What makes this kind of fraud particularly damaging for businesses is the fact that it’s almost impossible to recover the funds fraudsters stole from you. They set up fake accounts and exercise several money laundering techniques, and by the time a company realizes they were spoofed, the money is long gone, and the bank accounts are closed.
The Department of Justice announced earlier this year that a dual Canadian and U.S. national was sentenced to 11 years in federal prison for laundering tens of millions of dollars obtained in various wire transfer schemes. The court ordered him to pay $30 million in restitution, but it’s a fact that most of these perpetrators never get caught.
According to Statista, $439 million were lost in the U.S. in 2019 due to fraudulent wire transfers. Anybody can fall victim to fraud like this, whether it’s a small, family company or a multinational corporation. The cost of the fraud increases even further when you start the investigation and discover all the security liabilities you need to patch and reinforce.
Common Ways to Deliver Funds Transfer Fraud
A business email compromise is the most common way to deliver funds transfer fraud. FBI indicated in their 2020 Internet Crime Report that there were 19,369 complaints of business email compromise (BEC), with an adjusted loss of approximately $1.8 billion.
This kind of compromise usually starts with a social engineering attempt or a phishing attack. Tricking or manipulating people into giving cybercriminals access to the company network opens the door for fraudulent transactions.
In a social engineering attack, the criminals assume the identity of the company CEO or any other executive to instruct an employee from the financial department to transfer money to their ghost account. They send an email to the employee, urging them to transfer funds into the provided account. An employee who doesn’t regularly interact with the executives could take this email seriously and approve the transaction.
To make the story more credible, the attackers usually observe their targets’ online behavior for a while before gaining access to their network. They can also impersonate one of their vendors or partners when requesting payment from your employee.
Another common business email compromise scenario happens when criminals steal login information for their victim’s account through phishing attacks. The fraudsters create websites and login pages that look authentic, where people leave their credentials when attempting to log into their accounts.
The criminals later use the credentials to create fake invoices and send them to the company’s clients, who end up transferring funds into the bogus account fraudsters provided. It can be days or weeks until the fraud is discovered, and by that time, the recovery of funds is impossible because the fraudsters will have closed the account.
How to Prevent Funds Transfer Fraud?
As with many other types of crimes, prevention is the best way to protect your business from funds transfer fraud. Provide the necessary education for your employees on recognizing, reporting, and preventing phishing attempts that could lead to a fraudulent funds transfer. Their swift reaction and proper response could save your company’s funds and networks.
Let’s discuss some steps you can take to protect your company:
- Educate your employees: Your employees should be able to recognize a fraudulent email. Instruct them to double-check the email address to verify if the sender is who they say they are. They should also check the email subject line and body for grammatical and spelling errors that are common in phishing emails. If everything seems legitimate, but an employee still has doubts, instruct them to contact your cybersecurity team.
- Consider using dual control: Nobody from your team should make unauthorized wire transfers. Have at least two finance or legal department employees check the validity of a funds transfer request.
- Implement two-step funds transfer verification: If the invoice came through email, you should confirm the source and validity through a phone call or another previously established method.
- Test your system regularly: If you don’t have a cybersecurity team inside your company, hire an expert or an agency to test your system for vulnerabilities. The test should include a check for auto-forwarding rules within email accounts that could imply an outside setup for fraudulent activities.
- Make certain payments through the Automated Clearing House (ACH) system: This is a system set up by the Bureau of the Fiscal Service to process electronic payments. It can take up to a few days to complete the transaction, which is a good solution for transfer fraud since it provides enough time to reverse the transfer.
- Purchase adequate insurance policies: Certain policies and endorsements offer protection from funds transfer fraud. Consider buying them for your business if your company is at risk of falling victim to one.
How to Make Sure Your Business is Covered?
If your business ends up making the funds transfer to a fake account, it is very likely that you won’t be able to get those funds back from the fraudsters. That’s where insurance would come in handy as a financial safety net to help you recover your money. The two policies to respond to this type of exposure are commercial crime and cyber liability insurance policies.
Commercial crime insurance policy is designed to cover dishonest acts like burglary, petty theft, including the fraudulent funds transfer that your part-time staff, volunteers, or contracted staff commit. This coverage has evolved together with the business world, and it now covers the crimes in the digital world, such as information theft, but at a basic level.
If you want the coverage to respond to a digital funds transfer fraud, talk to your insurer to include that particular extension into your policy. Your company would be reimbursed for the loss of funds and securities caused by a third party.
A more comprehensive policy for all digital crime is a cyber liability insurance policy. Cyber liability insurance covers your direct losses resulting from cybercrime, and other financial damage that could cause more indirect losses.
However, social engineering attacks are usually not included in the scope of liabilities cyber insurance policy covers. Given that a certain number of funds transfer frauds start with a social engineering attack, you should consider adding a special extension to your policy to ensure you are protected.
Both these policies are first-party policies in their basic forms. That means that they cover only the losses your company suffers in case of successful fraud. If there is a possibility that this crime could also affect your clients, vendors, or other parties you work with, consider obtaining third-party policies as well. They would ensure all third parties are reimbursed for the potential losses they suffered when your company suffered a social engineering attack.
If you still have doubts about what each policy covers, feel free to reach out to one of our experienced brokers at any time. You can also sign up to Embroker’s digital platform and buy your coverage and extensions in 10 minutes.
Learn why having a cyber attack recovery plan for your business is so important.
Let’s talk about what cyber extortion is and how it could affect your business.