Wire Fraud – Who Is at Fault?
As fraudsters continue getting more creative with how they infiltrate our industry and banking customers, BKD strives to continually share topics that can help keep you one step ahead of these perpetrators. While having strong controls over customer wire transfer approvals is key to mitigating loss to your institution and customers, sometimes these controls alone aren’t enough. Whether it’s a callback confirmation control, email authorization control, or password or passcode verification control, these controls might not be enough if the fraudster has access to your customer’s operating systems.
What if a perpetrator was able to gain access to your customer’s operating system, corporate email system, and related banking information, which all sit outside of your institution’s designed control structure, and they were able to change either the callback number/individual, approved email address, or the preset password/passcode verification without being detected by your customer? If these scenarios occurred, a perpetrator could request and approve the execution of a fraudulent wire transfer or transfers that could go undetected by you and your customer. As we know, once funds are transferred in a wire transfer transaction, it’s very hard to get these funds back. Even with a strong control structure in place at your institution over your wire transfer process cycle, you can be open to potential loss and representation risk in your community if these fraudsters can infiltrate your customers’ internal operating systems.
What can you do?
Given the facts and circumstances noted above, fraudsters have found ways to circumvent common controls in place at financial services institutions. The following additional procedures and controls should be considered to further mitigate potential loss to your institution and your customers:
- First and foremost, educate your customers on potential fraud schemes and how fraudsters might try and gain access to their banking information and operating systems.
- Talk to your customers about implementing additional controls for approving changes made to wire callback approvals, email address authorization, or passwords/passcodes used for verification.
- Consider implementing an additional control at your institution to require the customer to validate or approve any changes made to callback individuals and passcodes with the institution.
- Consider implementing additional authorization controls regarding unusual, infrequent, and/or significant wire transfers.
- Continue educating your customers on their responsibilities regarding what we commonly refer to as “user-end controls,” which are controls in place at their organization that can help mitigate potential fraud.
As our industry continues to try and stay ahead of these fraudsters, we continually find them one step ahead of us. It’s time to start thinking outside of the box and consider what could go wrong so you can defend against those potential issues on a proactive basis versus a reactive basis. If you have any additional questions regarding this topic or others, reach out to your BKD Trusted Advisor™ or submit the Contact Us form below.