Impostor fraud

Virginia Government Finance Officers’ Association

May 2016

© 2015 Wells Fargo Bank, N.A. All rights reserved. Member FDIC.

Do you know whom you're paying?

1 1

Jamie Wells Senior Vice President Ethnography Team Manager Wells Fargo

"The amount we lost from impostor fraud was nearly the same as our annual earnings."

5 seconds

2 hours

30 days

Tens of millions

4 4

Agenda

What impostor fraud is

How fraudsters get away with it: tricks and red flags

Best practices for fighting impostor fraud

What to do if you suspect fraud

Q&A

5 5

What is impostor fraud?

6 6

Impostor fraud

Poses as a person or entity you know and trust.

Contacts you by email, phone, fax, or mail.

Requests a payment, submits an invoice, or asks to change vendor payment instructions.

The fraudster:

If you fall for the scam, any payments you send go to the fraudster — not where you intended.

"It was spooky. How did they know

our payment process?"

8 8

The fraudster:

Executive impostor fraud

Poses as your CEO, CFO, controller, or company owner.

Emails or calls you.

Asks you to send payments outside of normal channels – and usually by wire.

May ask you to:

– Keep the payment confidential.

– Reply once you've sent payment.

From Brand Central

9 9

Executive impostor fraud (continued)

Executive requests will not be questioned.

Executives are often unavailable to verify requests.

What fraudsters hope to take advantage of

"The email address was exactly the same as our vendor's email address."

11 11

The fraudster:

Vendor impostor fraud

Poses as vendor, supplier, or other business partner.

Contacts you by email, fax, phone, or mail.

Asks to change their bank account information —

"We need to receive payments to this new account."

Or sends an invoice that appears to be legitimate.

From Brand Central

12 12

Companies often change vendor bank account information based solely on an email, fax, or call that appears to be from the vendor.

Companies often don't call back a trusted source at the vendor to authenticate a request.

What fraudsters hope to take advantage of

Vendor impostor fraud (continued)

13 13

14 14 14

Contact by email

15 15

Example of executive email spoofing

16 16

Checking for a spoofed email by hitting reply

Warning: Do not actually reply. You’d be replying to the fraudster.

17 17

Email hacking

The fraudster:

Takes over full access to the email account.

Can study email patterns, check calendars.

Can send emails from the user's account undetected.

– Will intercept a reply to a hacked email and continue to perpetrate the scheme.

18 18 18

Contact by phone

19 19

Contact by phone

Finds a company's 800 number, calls it, and asks for accounting.

Impersonates an executive, owner, or vendor.

Makes up stories about why a new payment is needed or asks to change current bank payment instructions.

– Account reached credit limit, account under audit, etc.

Will go so far as to send a follow-up email for backup.

The fraudster:

20 20

Impostor fraud is different

It's highly scalable — multiple companies attacked at once.

Companies are not prepared: You follow similar procedures.

Fraudsters don't steal online banking credentials and make payments (like in account takeover fraud).

– Instead, your authorized users make and authorize payments. Payments look normal to your bank.

It's not quickly identified — and it's hard to recover funds, especially if sent by wire.

21 21

Fraudsters are willing and ready to interact with you. They anticipate you may question the request.

They're prepared to respond to your follow-up emails and phone calls.

And the biggest difference is …

22 22 22

How fraudsters get away with it

23 23

Executives make perfect

targets to impersonate

Always on the move

At the top of the approval hierarchy

May occasionally request ad hoc payments

Can be very demanding

Business needs trump accounting rules

Company executives should communicate with and assure their back-office staff that it's OK and even expected to question any payment requests.

25 25

Vendors also

impersonated

You have no way to authenticate vendors.

– How many vendors does your accounting staff actually know?

– Vendors often supply new account numbers.

You rely heavily on email with vendors.

26 26

Human (staff) behavior

Rote processing, trying to get the work done

Conditioned to process not necessarily question

Desire to please

– Reluctant to question authority/fear of consequences

– Want to do a good job for the executive

27 27

Human (staff)

behavior ― continued

Lack a direct relationship with a company executive or vendor

– With vendors, usually the buyer, supply chain manager, or account manager owns the relationship ― not AP

AP staff usually just process the payments

28 28

Common denominators

Payment is to a new beneficiary/

bank account

Payment is an exception

from the norm

Fraudster counts on

request not being verified with trusted

source

29 29

Impostor fraud red flags

Red flags

Request to remit payment to new/different bank account you've never sent money to before

Request to remit payment to new/different country you've never sent money to before

Request for secrecy around payment (confidential/top secret)

Switch from commercial beneficiary to individual beneficiary: XYZ Manufacturing vs. Jane Smith

Slightly blurred logo on vendor letterhead or invoice indicating item may have been altered

30 30

Impostor fraud red flags (continued)

Red flags

For email spoofing, subtle changes to company name in the email, such as: ABCadditive.com vs. ABCaddiitive.com

Change in email address from a company domain to a public domain (e.g., @yahoo.com and @gmail.com)

Writing style may be off: either more formal than usual or less formal than usual — e.g., Jonathan vs. Jon

Warning: If the email has been hacked, all email addresses will appear legitimate.

If something doesn't seem right, it probably isn't.

32 32 32

Best practices for fighting impostor fraud

33 33

Alert and educate your executives and staff

Alert them that fraudsters are taking advantage of execs' company titles and positions of authority without their knowledge.

Executives

AP staff

Your AP staff initiates payments and can be targeted directly. Ensure they're empowered to authenticate payment requests or changes to account information.

34 34

Alert and educate your internal business

partners and vendors

Educate all groups that communicate with vendors. Alert lines of business that receive/approve invoices then send to AP for processing.

Internal business partners

IT

Ask your IT partners if they can block spoofed emails.

Vendors

Tell vendors you'll no longer accept changes to bank account information by email. Warn them they're targets, too.

35 35

Authenticate payment

requests

Always authenticate

requests:

– Received by email.

– Made outside your company's normal channels.

– Made to accounts or countries you've never sent money to.

– That ask to change a vendor's payment remittance information.

If a request comes by email, fax, or mail, verify it with a phone call. If it comes by phone, verify it by email.

36 36

Authenticate payment

requests (continued)

Use contact information on

file to verify the requestor.

– Never use the information that comes with the request. It's fraudulent, too.

Prohibit executive payment requests made by email.

– Encourage staff to contact executives directly to verify requests.

If you don't authenticate vendor or executive requests, audit requests several months back.

– You could be a fraud victim and not know it.

37 37

Use dual custody, but …

The initiator and the approver must:

– Pay close attention to payment details — not just give them a rubber stamp.

– Authenticate the request before they initiate or before they approve to ensure it's not fraudulent.

Require a third-level review for any payments to a new beneficiary.

38 38

Monitor your accounts daily

The sooner you spot a fraudulent transaction, the sooner you can start your recovery efforts and take steps to help ensure you don't become a victim again.

Make fraud mitigation part of your business culture

Fraud continues to evolve …

40 40

Call to action Help increase awareness of impostor fraud.

As soon as possible, meet with your:

AP staff and internal partners. Any group could be an entry point for a fraudster.

Executives. Make them aware of the threat and ask them to support necessary changes to mitigate risk.

Peers. Contact them to help spread the word.

Take action now! You can't afford to wait or do nothing.

Share this presentation with anyone you think should be aware of the threat.

41 41

Helpful information about impostor fraud

Three-part Wells Fargo YouTube video series

Treasury Insights website articles and videos

https://treasuryinsights.wellsfargotreasury.com

42 42

If you suspect impostor fraud

Immediately contact your client services officer and tell them you suspect fraud, or call: 1-800-AT-WELLS

Q&A

44 44

For more information

Visit the Fraud Protection page on Treasury Insights treasuryinsights.wellsfargotreasury.com

For your questions and

comments, please email us: TreasurySolutions@wellsfargo.com