Funds Transfer Fraud, Social Engineering, & Invoice Manipulation
Funds Transfer Fraud is a type of cyberattack that manages to re-direct seemingly legitimate company payments to cybercriminals. This type of fraud is accomplished through social engineering techniques that prey on our inherent sense of trust, typically originating from email spoofing or spear phishing.
Funds Transfer Fraud is a significant business for cybercriminals, and without the right protocols in place, companies are vulnerable to sending massive payments with devastating financial consequences.
Social Engineering (Company/Employee Sends Funds)
The most common type of funds transfer fraud involves a social engineering attempt where an email is sent to a specific employee, such as the controller, posing as an executive that demands immediate payment of a bill/invoice. The attacker might research the executive’s behavior online and carefully craft the payment request email to make it look as authentic as possible. Once the company realizes the funds have been fraudulently transferred, it's often too late. Adequate stand-alone cyber insurance covers this type of attack, giving you protection and peace of mind.
Invoice Manipulation- (Client/Vendor/Customer Sends Funds)
A scarier and more complex form of funds transfer fraud is Invoice Manipulation. With Invoice Manipulation, an attacker gains access to a company email account, typically through phishing, and sends an authentic email to an outside party requesting payment for a fraudulent invoice. Having reviewed correspondence in the hacked email account, attackers will often mimic the sender's behavior to make the request look authentic. When the company follows up for the original invoice payment at a later date, the fraud is discovered and the funds are long gone.
Most Stand-Alone Cyber Insurance policies have quickly responded to this threat and now provide coverage for invoice manipulation. However, outdated coverage forms and packaged policies might only respond to funds transferred by employees, potentially leaving businesses uninsured.
- Dual Control: Implement controls that require 2 individuals to authentic funds transfers internally, through your financial institution, or ACH/Wire Transfer partner.
- When receiving payment requests through email, simply pick up the phone to validate them with the sender or an executive at the company.
- Verify that the sender's email address is valid and review the message for grammatical errors or inconsistencies. If your gut tells you it's fraudulent, question the authenticity.
- Ask your clients, vendors, or customers to validate invoice requests sent through email, especially if that's not your companies typical payment method.