Scammers are successfully targeting companies with an email scam that leads to wire transfer fraud. Here are some common methods:
Other versions of this scam may use malware installed in the system via an employee clicking on a compromised website link that is emailed to them (phishing), though this method is less common. Whatever the method, employees—especially those who have the authority to request, approve, or execute wire transfers—need to be on guard.
The people perpetrating these frauds frequently research employees’ responsibilities so they know who to target, and often gather information to try to make the wire transfer request as believable as possible. For example, they may research the executive’s schedule using public information or by making inquiries of the executive’s assistant with the goal of sending the fraudulent emails when the executive is out of town and cannot be easily reached for verification.
Although some of the fraudulent requests are for millions of dollars, they can just as often be for smaller amounts. Since many companies have stricter controls (like dual approvals) for amounts over a certain dollar threshold, the scammers often submit requests for lower amounts hoping the looser controls will raise the success rate of their scam. If the scammer is successful in a preliminary request, they may continue to submit additional requests until the scam is detected.
Once funds have been wired, recovering the stolen funds may be possible if the scam is detected within the first 24 to 48 hours, and often only with the help of law enforcement. Controls can help stop these scams in their tracks: IT controls that keep the scammer out of the system, purchasing controls that validate changes in vendor payment information or the setup of new vendors, and treasury controls that require multiple approvals of wire transfers. But a culture that encourages a questioning mindset is also important, especially when it comes to investigating requests from executives that are unusual or unexpected. Encouraging (or requiring) the receiver of a wire transfer request to confirm its validity via phone (using a number they know to be valid, not one that was included in the email) can go a long way toward protecting the company’s assets.
Contact your local FBI or U.S. Secret Service office immediately to report a “business email compromise” scheme. Also contact both your financial institution and the receiving financial institution to request that they halt or unwind the transfer. Seek advice from counsel about any legal obligations or protections you may have related to this situation, such as potential insurance coverage for any loss. Finally, change your controls to minimize the risk of something similar happening again, and don’t think you need to sweep it under the rug. Making sure that employees know about the scam, how it was perpetrated, and that they can be a gateway for the scammer is important in motivating employees to remain vigilant.
To have a deeper discussion of how to protect against business email compromise, please contact:
© 2016 - 2017 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.