Mon, Nov 23, 2015
One of the greatest worries for companies, however, is the possibility that they were being targeted from the inside.
In each case where Kroll was retained, the perpetrators seemed to have an uncanny knowledge of the victimized company, including its corporate structure, such as names and positions of executives as well as employees within the treasury and accounting functions. This in- depth knowledge triggers concerns regarding internal involvement or collusion. However, companies should also realize that the use of social media, professional networking sites such as LinkedIn and a company’s own website can make it easy to ascertain information about the company’s executives and how the company operates.
The way to combat wire transfer fraud would seem quite clear, straightforward and obvious: put in place proper policies and procedures.
The fraud usually starts with a single email—often ostensibly from a senior executive—requesting a wire transfer. In most cases, the email contains a chain with what appears to be legitimate prior communications between senior executives, thereby strengthening the credibility of the message. Bolstered by this apparently legitimate string of executive communications, it is not unusual for the recipient to confirm and facilitate the fraudulent transfer request.
One mechanism used to carry out the fraud is to slightly modify the domain name in a manner that will usually go undetected by the recipient. For example, the perpetrator would use “@krolll.com” instead of “@kroll.com”. It’s easy to see in a case like that how a recipient could miss the different spelling, especially if the sender is a senior executive.
Growing and Widespread Problem
In 2014, wire transfer fraud was the number one mass- marketing fraud (MMF), as calculated by dollar loss, reported to the Canadian Anti-Fraud Centre (CAFC), to the tune of more than $22 million. “Only one to five percent of MMF victims report to the CAFC,” says Daniel Williams of the Royal Canadian Mounted Police, who is senior call taker supervisor at the CAFC. “So, sadly, we are all too certain the actual numbers are much higher.” The second most-reported fraud in 2014, for comparison, involved dollar losses of just under $13 million. The problem is prevalent enough that, in early 2014, the Toronto Police Service issued a news release warning companies and individuals of “a number of incidents [requesting] large sums of money to be transferred by email.”
In the U.S., the scam is known as a business email compromise (BEC). According to a January 2015 alert from the FBI, it had received BEC complaints from every state and 45 countries. The total dollar loss between October 2013 and December 2014, based on the cases of which it was aware, was approximately $179.75 million in the U.S., and a combined loss of almost $215 million worldwide. “The FBI assesses with high confidence the number of victims and the total dollar loss will continue to increase,” the alert said.
A Simple but Sometimes Compromised Solution
The way to combat wire transfer fraud would seem quite clear, straightforward and obvious: put in place proper policies and procedures. Indeed, having these policies and procedures is critical, but wire fraud highlights a persistent security weakness—our human nature. Often, security controls are overridden through social engineering simply due to our desire to please others, particularly those in positions of authority. In the cases we’ve seen, when employees receive requests from senior executives, the motivation to assist the person higher in rank outweighs the need to stop and validate that the request is legitimate.
The way to combat this possibility is for a company’s most senior managers to make it absolutely clear to everyone involved in approving wire transfers that no one, no matter their rank, can override policies or proper procedures. When that message is communicated clearly, the chance of being defrauded in this manner is reduced significantly.
Red flags to identify potentially fraudulent wire transfer requests
Five Strategies to Avoid Fraudulent Wire Transfers
An organization can employ strategies over and above basic internal controls to avoid processing fraudulent wire transfers.
Learn more about fraud statistics and trends in Kroll’s annual Global Fraud Report.
When organizations worldwide need intelligence, insight and clarity to take decisive action, they rely on Kroll.
The Kroll Investigations, Diligence and Compliance team consists of experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.