Recent guidance from the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the FBI suggests that Business Email Compromise (BEC) that leads to fraudulent wire transactions remains a significant threat to the industry. While the controls listed in the June 19th Fraud Alert were primarily directed at executives, Advisors and other financial services firms would be wise to review and understand the controls suggested and to consider additions to their wire processes, if they determine that risks to their process exist.
The June 19th Fraud Alert (available here) lists a number of mitigation steps that should be considered by any firm that employs wire transactions. All firms and executives should consider potential vulnerabilities in the wiring process and potential sources of fraud. Key attack vectors can be via compromised employee or executive credentials, compromised customer credentials, or compromised vendor credentials. It is important to remember that thieves will attempt to access funds by whatever means possible, so it is essential that wire policies and procedures be extended to cover all potential avenues, not just the execution of customer funding requests.
Several key mitigation steps are listed below. We recommend that you consider these steps in light of your potential risks. This is a brief list and you may find other steps to be more prudent or more easily implemented within your individual firm’s structures or risk parameters. These points are merely a starting point.
- If your firm does not permit wire transactions, this prohibition should be clearly stated and understood by all employees and executives so that any attempted fraud can be easily detected (no one should be requesting a wire in the first place), easily stopped (as no wires are permitted), and immediately responded to (by determining the compromised credentials and securing them as necessary).
- Verify changes in payment instructions via out-of-band communications by using a pre-established phone number or other means).
- Utilize the principle of least-access to limit the number of employees who are authorized to execute wire transfers. We would recommend that this control include restrictions at the bank level, not just at the procedural level.
- Consider utilization of a single-use PIN number for authorization of wire transfer requests from executives. When utilizing such a system, care should be taken to only transmit the PIN via a previously approved method (such as texting to a pre-established cell phone number). Also, remember to utilize multiple communications channels. Your procedures should require initiation of the wire via one method and validation via another. If a wire is requested via email, confirmation should be obtained via text or verbal communication, not through email.
- Consider dual approval for any “out of the ordinary” transactions. These can include wires to new wiring partners, or transactions that exceed a specified dollar amount.
- Finally, empower your wiring-authorized employees to “just say no.” Employees should have a clear understanding that they should not feel pressured by anyone to execute a wire outside of standard protocols, and that there will not be ramifications for such diligence. It is always easier to send a wire a day later than recover funds once they have been transmitted.
From a technology standpoint, securing access to corporate email can prevent such attempted fraud before it begins. Your firm-wide password policy should, at the very least, require:
- Complex passwords;
- Regular updates to passwords; and
- Restrictions on reuse of passwords.
Remember, as well, that even if your firm maintains a strong password policy, your vendors or clients may not have the same controls. Your staff and executives must all work together as a team to ensure that all transfers are handled securely and according to a well thought-out and executed program. As always, you must consider risks unique to your business and any changes as they occur.
The steps outlined above are just a starting point in developing secure wiring practices. Should you have any questions regarding implementing or validating such a policy, please feel free to contact Lyman@ArtemisSecure.com or call us at 860-248-4100. We look forward to speaking with you.
For Further Reading: (Links will Open in a New Window)
Fraud Alert – Business Email Compromise Continues to Swindle and Defraud U.S. Businesses.