‘Email Compromise’ Wire Scheme: Do Fraud Losses Surpass Malware Losses?
May 26th, 2015
There are always new threats that complicate protection of wires. One key fraud trend that we are seeing in commercial banking is often referred to as “business email compromise” (BEC). In this scheme, commercial bank customers are hit with bogus emails, providing requests to change wire instructions. Business email scams are such a problem that the FBI recently issued its own warnings for these. Formerly known as “email in the middle,” this attack particularly targets companies executing wire transfers.
These emails are brilliant social engineering – they appear to be from legitimate sources, such as the company’s CEO or CFO. Customers are urged to create or update wire instructions as directed by the bogus email. As you can imagine, the fraud losses resulting from these events can be quite high. The FBI estimated early this year that the BEC may have cost businesses worldwide $215 million in losses over 14 months, almost $180 million of which was suffered by US businesses alone.
Supporting this trend, our own conversations with financial institution fraud strategy leaders included some interesting findings. Among the relevant points that were raised during our discussions:
- Some large financial institutions indicated that high dollar losses from the business email compromise scheme were higher than overall malware-related losses.
- As with other social engineering-based fraud attacks traditional protections, such as authentication and end-point solutions like device reputation, do not help. The legitimate customer is executing the payment and wants it to go through
- One effective variation on this threat involves manipulating invoices from legitimate vendors to include new payment instructions. The fact that the invoices look legitimate helps fool the commercial user.
- FI’s noted mixed client reactions when their fraud detection systems suspend these wires, and they reach out to the users who created them. In one case, the user still insisted he had an urgent email from his CEO authorizing the payment, and that it must be released because it was so high priority.
The FI’s noted a few approaches that do seem to alleviate this problem. One idea is to encourage their customers to implement email domain-name verification services. These run at the company being attacked and can help stop bogus emails from coming through. In general, the consensus was that behavioral anomaly detection — looking for suspicious patterns related to amounts, new payees, activity to new foreign countries – and customer education are the best defenses.
Here at Nice Actimize we recently added “next gen” capabilities to help address issues like BEC. Rather than simply monitoring the wire once before execution, we can now fully monitor the complete lifecycle of the wire transfer, and determine additional risks that arise during each modification and during approval. We refer to this enhanced capability as “wire versioning” detection. Additionally, we have added enhanced analytics around high dollar, low-volume payments.
We and our financial institution customers are always looking for innovative ways to improve wire transfer fraud detection. Sometimes this journey has extra stops along the way we haven’t planned for – and we know that best practices of fraud detection, particularly when it comes to wire transfers, is constantly evolving.
