FX International Payments
By Bill Camarda
Considering the recent growth of international wire transfer fraud, businesses may wish to invest in those countermeasures. Cybersecurity professionals recommend, for example, that all employees at every level of an enterprise be trained on how to recognize and respond to phishing threats; that user authentication processes go beyond simple password protection; that companies deploy technical solutions that automate anomaly detection; and that cyber protection processes and procedures be subject to regular testing. Finally, law enforcement agencies recommend reporting attacks so that the shared information can lead to stronger cyber defense for the entire business community.
Universal deployment of such countermeasures could help dampen dramatic growth in international wire transfer fraud, which has accelerated in recent years. In an April 2016 public alert, the U.S. Federal Bureau of Investigation (FBI) said that between October 2013 and February 2016 the law enforcement community received wire transfer fraud reports from 17,642 victims claiming $2.3 billion lost.1 Victims were reported in all 50 U.S. states and 79 other nations. Large companies that routinely process international wire transfers may be at greatest risk, but even small companies and non-profits have been attacked.
To effectively counter international wire transfer fraud, it helps to understand how it works. International wire transfer fraud can come in multiple forms. The highly prevalent Internet- and email-oriented forms are sometimes called business email compromise (BEC), "spear phishing" (because they may be narrowly targeted) or "whaling" (because the criminals often impersonate a corporation’s "big fish"). However, there are other forms, as well, which are discussed separately here. The BEC form covered in this post often follows a pattern like this:
1. Criminals perform detailed research about a company, leveraging social media and other public sources. For example, criminals might see a press release announcing that a company has hired a new CEO. They know employees will know little about the new person, but will want to impress the new leader with their efficiency and speed. Or they may see social media reports that a company in the Far East has entered an international trade agreement with a company, and attempt to compromise that company’s supply chain by misrepresenting themselves as an executive of the Far East trading partner.
More often, criminals will supercharge their research by illicitly accessing a corporate email system. If they can compromise a server or an individual account, they can start tracking conversations among the company’s employees. They can learn how the company operates internationally, how often it sends international wire transfers, whose responsibility they are, where payments typically go, what types of projects are involved or even when executives are traveling. They can learn, and use, language executives have used before. It may seem far-fetched that hackers could remain undetected in a company’s network for long enough to achieve all this. But according to a report last year from the Ponemon Institute, over half of the breached companies it surveyed discovered their breach more than a year after it occurred (33%) or did not know how long the hackers had access to their corporate networks (20%).2
2. Based on the information collected, cyber criminals craft a convincing email in the name of a senior company executive (or an executive at a trusted global supply chain partner). If they've compromised a corporate email server or an executive's account, the fake message can come from within. If not, they can craft a fake email address and domain name almost identical to the legitimate source.
The email will be targeted at a financial manager who is authorized to process international wire transfers. The email will usually express urgency, perhaps claiming that the payment must be expedited to support a key acquisition. Some criminals even demand to keep the payment secret in the name of “SEC regulations."3 Sometimes, criminals may learn of a specific project where a legitimate payment will soon be required. They can step in and submit their own international wire transfer instructions in place of the legitimate vendor.4
3. If the employee does make the payment, the criminals quickly move the money elsewhere – usually transferring it into accounts or forms that can't easily be traced.
Security researcher Brian Krebs notes that international wire transfer fraud often evades technical protections against other email phishing fraud, because no mass emailing is involved. Instead, one or just a few carefully targeted and highly personalized emails are sent. This means companies can't rely on conventional anti-spam measures for protection.5
There are many countermeasures businesses can take to help protect their international wires from fraud. Here is a roundup of recommendations:
Countermeasures begin at the top, by making sure that senior executives understand phishing and the risks it poses to their companies and themselves. Once leaders understand the risks, they can cooperate to adjust processes for making international wire transfers more phishing proof. In some companies, it may be practical for executives to assure colleagues that they will never request an international wire transfer solely via messaging system; or (as discussed in more detail below), to require verbal confirmation of any transfer. Whatever the rule, the entire financial organization should know how to respond when asked via email to process an international wire transfer. As Government Technology magazine points out, it's important to make sure the finance team realizes that international wire attacks will evolve as criminals learn from experience.6
After training everyone, test to see what happens when employees receive a potentially suspicious wire transfer request. (Further training may be needed.)
Multi-factor authentication means using two different, unrelated forms of identification to verify identities. For example, use of a password and a numeric sequence text-messaged to a smartphone to enable login to email, or a server that houses payment services or information. Multi-factor authentication can be used more widely than today, for email, virtual private networks (VPNs) and access to key stages of the international wire transfer processes (e.g., accepting or changing payment details).
Bank regulator Federal Financial Institutions Examination Council (FFIEC) recommends "out-of-band authentication," meaning that "a transaction… initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., telephone)… to be completed." FFIEC points out that, "out-of-band authentication directed to or input through the same device that initiates the transaction may not be effective since [it] may have been compromised." Therefore, authentication should be provided "by someone other than the person who first initiated the transaction [and] combined with other administrative controls."7
Some technical measures can be taken to mitigate international wire fraud risk. For example, since some phony emails possess forged sender addresses, businesses may consider using Sender Policy Framework (SPF) to make sure emails come from where they claim. Of course, the basics remain important: for example, strong, frequently changed email passwords, and responding to emails not by hitting “reply” but by using email addresses already on file.8
Businesses may also wish to consider helping authorities pursue hackers by reporting successful attacks and attempts that were recognized in time. In the U.S., the FBI recommends a business immediately contact its own financial institution as well as the FBI’s Internet Crime Complaint Center (IC3).
One final point: some companies believe insurance will cover losses from international wire fraud, but most cyber insurance carriers do not cover wire transfer fraud. As companies work to improve training, processes and technologies, they may wish to check their cyber insurance coverage, too.
Online international wire transfer fraud is growing problem. But businesses can take steps to protect themselves from becoming wire fraud victims. They can train employees to recognize the signs of international wire transfer fraud and can take multiple countermeasures, such as multi-factor authentication.
Bill Camarda is a professional writer with more than 30 years’ experience focusing on business and technology. He is author or co-author of 19 books on information technology and has written for clients including American Express Private Bank, Ernst & Young, Financial Times Knowledge and IBM.
1. “FBI Warns of Dramatic Increase in Business E-Mail Scams”, FBI; https://www.fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-warns-of-dramatic-increase-in-business-e-mail-scams.
2. 2014: A Year of Mega Breaches, Ponemon Institute; http://www.ponemon.org/local/upload/file/2014%20The%20Year%20of%20the%20Mega%20Breach%20FINAL3.pdf.
3. "Combating the New Scam - Business Email Compromise", Cyber Security trend; http://www.cybersecuritytrend.com/topics/cyber-security/articles/419144-combating-new-scam-business-email-compromise.htm
4. "How to Avoid or Respond to Wire Transfer Fraud", Bryan Cave; https://www.bryancave.com/en/thought-leadership/wire-transfer-fraud-at-a-glance.html
5. "FBI: $1.2B Lost to Business Email Scams", Krebs on Security; https://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/
6. "Beyond Spear Phishing: How to Address Whaling and More", Government Technology; http://www.govtech.com/blogs/lohrmann-on-cybersecurity/beyond-spear-phishing-how-to-address-whaling-and-more.html
7. FFIEC Supplement to Authentication in an Internet Banking Environment; http://ithandbook.ffiec.gov/media/153051/04-27-12_fdic_combined_fil-6-28-11-auth.pdf
8. "How to Avoid or Respond to Wire Transfer Fraud", Bryan Cave; https://www.bryancave.com/en/thought-leadership/wire-transfer-fraud-at-a-glance.html