Masquerading caution: Always double-check payment instructions
I’ve been blogging about masquerading for some time now. It’s the increasingly popular wire transfer scam where criminals impersonate a company executive or a known vendor to entice a business to transfer money to a fraudulent account.
I can’t emphasize enough just how prevalent it is, with losses estimated at over $1 billion last year. A short while ago, news emerged that another major U.S. corporation had fallen victim.
In this particular case, email alone was accepted as sufficient to transfer a large sum of money. While social engineering by the fraudsters means that these requests can be very convincing, it’s always advisable to double-check instructions and not take them at face value.
Here are a few reminders.
What is masquerading?
Masquerading is a combination of social engineering and a confidence scam, using high-tech tools. The hackers impersonate someone you or your business knows, such as the CEO or CFO, or a vendor the company does business with. They phone or email someone in the company — for example, the controller — requesting a wire transfer. The controller, believing the email or phone call to be legitimate, contacts the bank to request the wire transfer.
Help to thwart masquerading attempts
One of your best protections against masquerading and other types of wire fraud is having sound procedures, such as dual authorization for large transactions, and to back up those procedures by training team members so they recognize the signs of suspicious activity.
Here are some additional tips to help you:
1) Ensure the request to initiate a wire transfer is legitimate. Use an alternate mechanism to verify the identity of the person requesting the funds transfer. If the request is via email, then call and speak to the person. If via phone, use email to confirm.
2) Double- and triple-check email addresses. Emails from fraudsters’ domains may have slightly modified email addresses so an employee does not notice that the message is not from the correct company. Create intrusion detection system rules that flag e-mails with extensions that are similar to company email but not exactly the same. For example, .co instead of .com.
3) Verify changes in vendor payment location. Make sure that changes in vendor payment arrangements are flagged and double- or triple-checked for authenticity.
4) Use a multi-person approval process for transactions above a certain dollar threshold. Two or more approvals are preferable to protect against internal and external fraud.
5) Be suspicious of confidentiality. Whenever wire transfer instructions specify to keep the transaction secret, you should verify the legitimacy of this request. Speak to the executive or manager requesting the transaction. If you still have doubts, speak to another senior executive.