impostor fraud - virginia government finance officers ... spring conference... · "it was...
TRANSCRIPT
Impostor fraud
Virginia Government Finance Officers’ Association
May 2016
© 2015 Wells Fargo Bank, N.A. All rights reserved. Member FDIC.
Do you know whom you're paying?
1 1
Jamie Wells Senior Vice President Ethnography Team Manager Wells Fargo
"The amount we lost from impostor fraud was nearly the same as our annual earnings."
5 seconds
2 hours
30 days
Tens of millions
4 4
Agenda
What impostor fraud is
How fraudsters get away with it: tricks and red flags
Best practices for fighting impostor fraud
What to do if you suspect fraud
Q&A
5 5
What is impostor fraud?
6 6
Impostor fraud
Poses as a person or entity you know and trust.
Contacts you by email, phone, fax, or mail.
Requests a payment, submits an invoice, or asks to change vendor payment instructions.
The fraudster:
If you fall for the scam, any payments you send go to the fraudster — not where you intended.
"It was spooky. How did they know
our payment process?"
8 8
The fraudster:
Executive impostor fraud
Poses as your CEO, CFO, controller, or company owner.
Emails or calls you.
Asks you to send payments outside of normal channels – and usually by wire.
May ask you to:
– Keep the payment confidential.
– Reply once you've sent payment.
From Brand Central
9 9
Executive impostor fraud (continued)
Executive requests will not be questioned.
Executives are often unavailable to verify requests.
What fraudsters hope to take advantage of
"The email address was exactly the same as our vendor's email address."
11 11
The fraudster:
Vendor impostor fraud
Poses as vendor, supplier, or other business partner.
Contacts you by email, fax, phone, or mail.
Asks to change their bank account information —
"We need to receive payments to this new account."
Or sends an invoice that appears to be legitimate.
From Brand Central
12 12
Companies often change vendor bank account information based solely on an email, fax, or call that appears to be from the vendor.
Companies often don't call back a trusted source at the vendor to authenticate a request.
What fraudsters hope to take advantage of
Vendor impostor fraud (continued)
13 13
14 14 14
Contact by email
15 15
Example of executive email spoofing
16 16
Checking for a spoofed email by hitting reply
Warning: Do not actually reply. You’d be replying to the fraudster.
17 17
Email hacking
The fraudster:
Takes over full access to the email account.
Can study email patterns, check calendars.
Can send emails from the user's account undetected.
– Will intercept a reply to a hacked email and continue to perpetrate the scheme.
18 18 18
Contact by phone
19 19
Contact by phone
Finds a company's 800 number, calls it, and asks for accounting.
Impersonates an executive, owner, or vendor.
Makes up stories about why a new payment is needed or asks to change current bank payment instructions.
– Account reached credit limit, account under audit, etc.
Will go so far as to send a follow-up email for backup.
The fraudster:
20 20
Impostor fraud is different
It's highly scalable — multiple companies attacked at once.
Companies are not prepared: You follow similar procedures.
Fraudsters don't steal online banking credentials and make payments (like in account takeover fraud).
– Instead, your authorized users make and authorize payments. Payments look normal to your bank.
It's not quickly identified — and it's hard to recover funds, especially if sent by wire.
21 21
Fraudsters are willing and ready to interact with you. They anticipate you may question the request.
They're prepared to respond to your follow-up emails and phone calls.
And the biggest difference is …
22 22 22
How fraudsters get away with it
23 23
Executives make perfect
targets to impersonate
Always on the move
At the top of the approval hierarchy
May occasionally request ad hoc payments
Can be very demanding
Business needs trump accounting rules
Company executives should communicate with and assure their back-office staff that it's OK and even expected to question any payment requests.
25 25
Vendors also
impersonated
You have no way to authenticate vendors.
– How many vendors does your accounting staff actually know?
– Vendors often supply new account numbers.
You rely heavily on email with vendors.
26 26
Human (staff) behavior
Rote processing, trying to get the work done
Conditioned to process not necessarily question
Desire to please
– Reluctant to question authority/fear of consequences
– Want to do a good job for the executive
27 27
Human (staff)
behavior ― continued
Lack a direct relationship with a company executive or vendor
– With vendors, usually the buyer, supply chain manager, or account manager owns the relationship ― not AP
AP staff usually just process the payments
28 28
Common denominators
Payment is to a new beneficiary/
bank account
Payment is an exception
from the norm
Fraudster counts on
request not being verified with trusted
source
29 29
Impostor fraud red flags
Red flags
Request to remit payment to new/different bank account you've never sent money to before
Request to remit payment to new/different country you've never sent money to before
Request for secrecy around payment (confidential/top secret)
Switch from commercial beneficiary to individual beneficiary: XYZ Manufacturing vs. Jane Smith
Slightly blurred logo on vendor letterhead or invoice indicating item may have been altered
30 30
Impostor fraud red flags (continued)
Red flags
For email spoofing, subtle changes to company name in the email, such as: ABCadditive.com vs. ABCaddiitive.com
Change in email address from a company domain to a public domain (e.g., @yahoo.com and @gmail.com)
Writing style may be off: either more formal than usual or less formal than usual — e.g., Jonathan vs. Jon
Warning: If the email has been hacked, all email addresses will appear legitimate.
If something doesn't seem right, it probably isn't.
32 32 32
Best practices for fighting impostor fraud
33 33
Alert and educate your executives and staff
Alert them that fraudsters are taking advantage of execs' company titles and positions of authority without their knowledge.
Executives
AP staff
Your AP staff initiates payments and can be targeted directly. Ensure they're empowered to authenticate payment requests or changes to account information.
34 34
Alert and educate your internal business
partners and vendors
Educate all groups that communicate with vendors. Alert lines of business that receive/approve invoices then send to AP for processing.
Internal business partners
IT
Ask your IT partners if they can block spoofed emails.
Vendors
Tell vendors you'll no longer accept changes to bank account information by email. Warn them they're targets, too.
35 35
Authenticate payment
requests
Always authenticate
requests:
– Received by email.
– Made outside your company's normal channels.
– Made to accounts or countries you've never sent money to.
– That ask to change a vendor's payment remittance information.
If a request comes by email, fax, or mail, verify it with a phone call. If it comes by phone, verify it by email.
36 36
Authenticate payment
requests (continued)
Use contact information on
file to verify the requestor.
– Never use the information that comes with the request. It's fraudulent, too.
Prohibit executive payment requests made by email.
– Encourage staff to contact executives directly to verify requests.
If you don't authenticate vendor or executive requests, audit requests several months back.
– You could be a fraud victim and not know it.
37 37
Use dual custody, but …
The initiator and the approver must:
– Pay close attention to payment details — not just give them a rubber stamp.
– Authenticate the request before they initiate or before they approve to ensure it's not fraudulent.
Require a third-level review for any payments to a new beneficiary.
38 38
Monitor your accounts daily
The sooner you spot a fraudulent transaction, the sooner you can start your recovery efforts and take steps to help ensure you don't become a victim again.
Make fraud mitigation part of your business culture
Fraud continues to evolve …
40 40
Call to action Help increase awareness of impostor fraud.
As soon as possible, meet with your:
AP staff and internal partners. Any group could be an entry point for a fraudster.
Executives. Make them aware of the threat and ask them to support necessary changes to mitigate risk.
Peers. Contact them to help spread the word.
Take action now! You can't afford to wait or do nothing.
Share this presentation with anyone you think should be aware of the threat.
41 41
Helpful information about impostor fraud
Three-part Wells Fargo YouTube video series
Treasury Insights website articles and videos
https://treasuryinsights.wellsfargotreasury.com
42 42
If you suspect impostor fraud
Immediately contact your client services officer and tell them you suspect fraud, or call: 1-800-AT-WELLS
Q&A
44 44
For more information
Visit the Fraud Protection page on Treasury Insights treasuryinsights.wellsfargotreasury.com
For your questions and
comments, please email us: [email protected]