Funds Transfer Fraud, Social Engineering, & Invoice Manipulation

Funds Transfer Fraud, Social Engineering, and Invoice Manipulation

Funds Transfer Fraud is a type of cyberattack that manages to re-direct seemingly legitimate company payments to cybercriminals. This type of fraud is accomplished through social engineering techniques that prey on our inherent sense of trust, typically originating from email spoofing or spear phishing.

Funds Transfer Fraud is a significant business for cybercriminals, and without the right protocols in place, companies are vulnerable to sending massive payments with devastating financial consequences.

Social Engineering (Company/Employee Sends Funds)

The most common type of funds transfer fraud involves a social engineering attempt where an email is sent to a specific employee, such as the controller, posing as an executive that demands immediate payment of a bill/invoice. The attacker might research the executive’s behavior online and carefully craft the payment request email to make it look as authentic as possible. Once the company realizes the funds have been fraudulently transferred, it's often too late. Adequate stand-alone cyber insurance covers this type of attack, giving you protection and peace of mind.

Invoice Manipulation- (Client/Vendor/Customer Sends Funds)

A scarier and more complex form of funds transfer fraud is Invoice Manipulation. With Invoice Manipulation, an attacker gains access to a company email account, typically through phishing, and sends an authentic email to an outside party requesting payment for a fraudulent invoice. Having reviewed correspondence in the hacked email account, attackers will often mimic the sender's behavior to make the request look authentic. When the company follows up for the original invoice payment at a later date, the fraud is discovered and the funds are long gone.

Most Stand-Alone Cyber Insurance policies have quickly responded to this threat and now provide coverage for invoice manipulation. However, outdated coverage forms and packaged policies might only respond to funds transferred by employees, potentially leaving businesses uninsured.

Prevention Techniques

  • Dual Control: Implement controls that require 2 individuals to authentic funds transfers internally, through your financial institution, or ACH/Wire Transfer partner.
  • When receiving payment requests through email, simply pick up the phone to validate them with the sender or an executive at the company.
  • Verify that the sender's email address is valid and review the message for grammatical errors or inconsistencies. If your gut tells you it's fraudulent, question the authenticity.
  • Ask your clients, vendors, or customers to validate invoice requests sent through email, especially if that's not your companies typical payment method.
This article is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Cyber Armada Insurance.

Topics: Cyber Threat Coffee Break Banking

Cyber Armada Team
Posted by Cyber Armada Team on Jun 10, 2020

Apply for Cyber Insurance Online

Answer a few questions online and Cyber Armada will design a cyber insurance policy tailored to your particular needs.

Apply Online
Apply for Cyber Insurance
Schedule an appointment with Cyber Armada

Can we talk?

We're ready to talk when you are. You can schedule an appointment to speak with a representative from Cyber Armada when it is most convenient for you. Whenever possible we use online meetings to increase productivity and increase the amount of time we can spend with you. We use Zoom Meetings as our preferred video conferencing platform.

Schedule Appointment