Cleo File Transfer Alert | December 2024
Cleo customers could be at risk due to a critical security flaw. Here's what you need to know.
Funds transfer is the movement of funds from one party's bank account (sender) to another party's bank account (receiver). This process is heavily targeted by cyber criminals, in which they will redirect funds to a bank account under their control (otherwise known as funds transfer fraud). Funds transfer fraud is extremely damaging to any organization that is a victim of these attacks, as oftentimes attacks will involve a significant amount of funds and stolen funds are unrecoverable. Attackers will use various social engineering techniques such as email spoofing or business email compromise to carry out funds transfer fraud at organizations ranging from small local businesses to multinational corporations. On the bright side, protection against these types of attacks is possible and financially damaging repercussions can be prevented.
Out-of-band authentication involves using separate channels for authentication. For example, the channel that is used to authenticate a user is completely separate from the channel used by the user to log in or perform a transaction.
An example of an OOBA implementation is a customer logging into their online banking account through their desktop. The user would login with their user ID and password and also receive a one-time passcode via text message to their mobile device. In this example, there are two distinct and separate communication channels - the ‘internet channel’ for the user's desktop and the ‘wireless cellular network’ channel for the mobile device.
In the case of executing electronic payments, OOBA is a secondary verification method with the requester of a funds transfer through a communication channel separate from the original request. An example of this would be calling a known and trusted phone number to confirm a change in payment instructions sent via email from a vendor.
Performing funds transfer fraud would be quite difficult with this layered approach in place. This is because both channels would need to be simultaneously compromised for a threat actor to be successful. The use of separate channels mitigates the risk of a successful funds transfer fraud from taking place.
Out-of-band transaction approval is used when approving outgoing monetary transactions, such as ACH or wire transfers. The goal of using out-of-band authentication is to prevent wire fraud from occurring, which is when a fraudulent transfer of money takes place. Cyber criminals will use tactics such as email account compromise or phishing to spoof a trusted vendor or senior executive. By using social engineering tactics, a cybercriminal can trick an employee into transferring funds to a fraudulent account.
An example of wire fraud is an employee in accounting receiving an email from a vendor requesting a change in payment instructions. Without proper due diligence and validating the authenticity of the request, the employee transfers the funds to a cyber criminals bank account, only to discover a few days later that the vendor has not actually received any type of payment.
In this example, the value of implementing out-of-band authentication can be seen. If the employee in the above scenario were to validate the change of payment instructions by contacting the vendor directly by phone, they would have detected the nefarious activity right away and avoided sending funds to the cybercriminals account.
OOBA is important in preventing funds transfer fraud because it ensures that funds transfers are initiated, executed, and approved in a secure and authorized manner. Additionally, OOBA reduces the chances of a cybercriminal successfully completing a fraudulent funds transfer because most lack the time, resources, and technical sophistication to outmaneuver these security measures.
Additional Resources