A Guide to Funds Transfer Fraud

What is Funds Transfer Fraud?

Funds transfer is the movement of funds from one party's bank account (sender) to another party's bank account (receiver). This process is heavily targeted by cyber criminals, in which they will redirect funds to a bank account under their control (otherwise known as funds transfer fraud). Funds transfer fraud is extremely damaging to any organization that is a victim of these attacks, as oftentimes attacks will involve a significant amount of funds and stolen funds are unrecoverable. Attackers will use various social engineering techniques such as email spoofing or business email compromise to carry out funds transfer fraud at organizations ranging from small local businesses to multinational corporations. On the bright side, protection against these types of attacks is possible and financially damaging repercussions can be prevented. 

Out-of-band authentication involves using separate channels for authentication. For example, the channel that is used to authenticate a user is completely separate from the channel used by the user to log in or perform a transaction. 

An example of an OOBA implementation is a customer logging into their online banking account through their desktop. The user would login with their user ID and password and also receive a one-time passcode via text message to their mobile device. In this example, there are two distinct and separate communication channels - the ‘internet channel’ for the user's desktop and the ‘wireless cellular network’ channel for the mobile device.

In the case of executing electronic payments, OOBA is a secondary verification method with the requester of a funds transfer through a communication channel separate from the original request. An example of this would be calling a known and trusted phone number to confirm a change in payment instructions sent via email from a vendor.

Performing funds transfer fraud would be quite difficult with this layered approach in place. This is because both channels would need to be simultaneously compromised for a threat actor to be successful. The use of separate channels mitigates the risk of a successful funds transfer fraud from taking place.

Out-of-band transaction approval is used when approving outgoing monetary transactions, such as ACH or wire transfers. The goal of using out-of-band authentication is to prevent wire fraud from occurring, which is when a fraudulent transfer of money takes place. Cyber criminals will use tactics such as email account compromise or phishing to spoof a trusted vendor or senior executive. By using social engineering tactics, a cybercriminal can trick an employee into transferring funds to a fraudulent account. 

An example of wire fraud is an employee in accounting receiving an email from a vendor requesting a change in payment instructions. Without proper due diligence and validating the authenticity of the request, the employee transfers the funds to a cyber criminals bank account, only to discover a few days later that the vendor has not actually received any type of payment. 

In this example, the value of implementing out-of-band authentication can be seen. If the employee in the above scenario were to validate the change of payment instructions by contacting the vendor directly by phone, they would have detected the nefarious activity right away and avoided sending funds to the cybercriminals account. 

OOBA is important in preventing funds transfer fraud because it ensures that funds transfers are initiated, executed, and approved in a secure and authorized manner. Additionally, OOBA reduces the chances of a cybercriminal successfully completing a fraudulent funds transfer because most lack the time, resources, and technical sophistication to outmaneuver these security measures.

Employee Education

Educate Employees on how to recognize and deal with phishing emails through employee security awareness training programs.

Implement a Secure Email Gateway (SEG)

Utilize a SEG to prevent spam, phishing, and malicious emails from reaching your employee's inboxes in the first place.

Enforce MFA on Email Accounts

Equip email accounts with MFA to help prevent an account from being compromised and being used to initiate fraudulent funds transfer requests.

Train Employees To Validate & Verify All Payment Requests

Ensure employees validate & verify payment requests with all vendors or requestors directly by phone using a known trusted phone number to confirm the authenticity of the payment request and information (do not rely on the phone number in the email).

Include Response Steps in Your Incident Response Plan

Should you experience funds transfer fraud, it's recommended to include response steps to facilitate your Incident Response Plan. This should include steps for appropriate reporting to company management, the bank, law enforcement and your insurance carrier. 

• Securing Email - Best Practices

• Example Funds Transfer Policy Template

• Tips to Prevent Wire Fraud

• Identifying and Responding to Wire Fraud

• FBI - Protection Against BEC Scams