Understanding and Preventing Imposter Fraud Schemes

When cyber attackers pose as the CEO,
will your business be ready?

2019 Alliance sponsor feature article courtesy of First Citizens Bank

Imposter fraud — in which a criminal poses as an executive, vendor or other trusted entity in order to steal company funds — is a fast-growing threat to businesses. Last year, one form of imposter fraud, business email compromise (BEC), affected nearly 80 percent of businesses surveyed by the Association for Financial Professionals. In total, firms have been hit with more than $5 billion in costs from BEC schemes, according to FBI figures.

Companies of all sizes and in virtually all industries are potential targets for these sorts of attacks. Imposter fraud is very different from a fraudster stealing online banking credentials and using the data to make fraudulent payments. With this type of scheme, your organization’s authorized users make the payments, so they look like normal transactions to your bank. This typically means the fraud is not quickly identified, which makes it harder to recover the funds, particularly if they are sent by wire.
You can help protect your firm by learning how to recognize fraud attempts and taking steps to improve your security.

Understanding imposter fraud schemes

The first step in preventing BEC and similar schemes is to be able to recognize the common types of scams:

• C-level scheme: A hacker poses as the company’s CEO, CFO or other executive and sends an email from a compromised account, usually to an employee in the finance department, with an urgent request to wire funds. The money is then sent to a bank account under the hacker’s control. Forty percent of BEC scams target CFOs, which is more than any other company role, according to security software provider Trend Micro.
• Vendor impersonation fraud: Posing as a trusted vendor, a fraudster will send an invoice requesting payment. Sometimes, the criminal will have infiltrated the email account of an employee of the company in order to study the pattern of payment requests. The fake invoices will resemble legitimate ones, except for changes in the payment instructions — which allows payment from the company to go directly to the thief.
• Data theft: Unlike imposter fraud focused on wire transfers, this scam relies on gathering employee data by sending emails to the human resources department requesting identifiable information of staff members. This data is then used to commit additional fraud attacks against the business.

Imposter fraud schemes such as BEC typically require time and research on the part of hackers. Once they have gained access to an employee’s email account, they must analyze patterns of fund transfers and identify who normally handles payments and which vendors businesses interact with. This level of familiarity with a company’s business practices and routines can make fraudulent messages particularly convincing.

Preventing imposter scams from harming your business

Implementing strong safeguards can help minimize your risk of falling victim. Consider these steps to help protect your company:

• Verify all requests. Train employees to follow up on any request for fund transfers or changes in payment information through a channel other than the one used to make the original request. If an employee receives an email, they should follow up with a phone call to a previously known number — not the number provided in the email, since it could be fraudulent. Warn employees to be particularly wary of urgent payment requests.
• Warn against oversharing. Encourage employees to exercise caution when sharing work-related or even personal information on social media and other websites. Hackers will often piece together information they find online to learn about employee roles and company happenings like business deals that might coincide with large payments. They can then use this data to make their outreach more convincing.
• Use account controls. Access management features offered by banks allow you to define how transactions proceed and give you additional layers of protection. For example, you might require one employee to initiate a funds transfer and another to approve it. You can also add one-time access codes for extra security, and set up account alerts so that you’re notified of unusual activity or when transactions need your approval.
• Protect your computers and network. Malware is often a key component of BEC scams, so use anti-malware software from a reputable provider that automatically updates to block new threats. Be sure to follow other security best practices as well, such as having a firewall in place to filter traffic to and from your network.
• Review your insurance policy. Knowing what your insurance will cover should your business fall victim to fraud is a great way to prepare for an incident. Talk with your insurance agent to find out how and if your company will be protected. You may need to sign up for a specialized plan as some policies won’t cover fraud instances where an employee unknowingly transfers funds.
• Alert your bank immediately. Be sure to instantly notify your bank should you spot instances of potential fraud. Informing your bank provides an additional layer of protection and security, and it can help you recover from fraud quickly and effectively.

Your banker can also help you explore steps to reduce your fraud risk. For more information, contact Andy Shene, Charlotte Metro Area Executive for First Citizens Bank, 704.338.3926. First Citizens Bank. Forever First®.