Warning to stay secure, as recent banking difficulties could mask fake bank details
The recent collapse of Silicon Valley, Signature and Silverline banks with First Republic now in the spotlight, has led to growing fears of another financial crisis. But there is one community who are rubbing their hands together in anticipation of the opportunity this presents.
Fraudsters are always ready to piggyback onto a crisis or significant event, using the pretext created as a new platform from which to launch their next scam. Recently the Covid pandemic, the rapid move to remote working, and continued hybrid working provided rich fraud-friendly environments.
Today, world-wide economic turbulence and resultant bank failures have gifted criminals a believable rationale for individuals and businesses to change bank accounts – a common ruse for diverting funds for invoice and other payments into fraudster accounts.
Serious and organised
These are not the outdated stereotype of lone bad actors in hoodies. Organised crime gangs appear professional, with slick, repeatable models ready to roll out quickly when a new opportunity arises.
Criminals operate using call centres, scripts, email communications and white boards to chart their attack strategies, tactics, and hit rate. It sounds like an efficiently run business, doesn’t it? It is.
Often beholden to a hierarchy of terrorists, drug smugglers and people traffickers, the cost of failure is high, so ruthless efficiency is enforced with little sympathy for victims.
A new phishing pool
The collapse of SVB means that up to 38,000 account holders could be looking for a new home – although around 3,000 of those will have been rescued by the HSBC buy-out of SVB-UK. Signature and Silverline add tens of thousands more; that’s a nice size pool to go phishing (or vishing or smishing) in.
The collapse of the three banks offers a plausible pretext for changing bank accounts. Fraudsters may claim a direct involvement, or a fear of the same with their current bank, triggering a fake change request. Depending on the nature of the transaction, money may flow inwards or outwards from a business – and the payment process can be exploited in either direction.
Social engineering: clever and convincing
Social engineering is the foundation of many fraud scams and can be accompanied by cyber-attacks. Most commonly we see spoofed or hijacked emails used to inform businesses or their customers of false changes in bank details for imminent payments on invoices, deposits, and other payments. Occasionally it’s a phone call that requests funds to be sent to another account belonging to the fraudsters.
Whatever guise it takes, companies and individuals must maintain a constant level of awareness and follow procedures without fail.
It’s easy to become complacent and think that your business won’t be a target, but organised crime gangs have access to both cheap and forced labour, so their cost base is low. They can, and do, target lower amounts and smaller organisations that tend to have fewer resources and where the use of emails for communication might not utilise the best cyber protection.
Are you ready?
If you do fall prey to a scam of this nature, then your Crime insurance policy should kick in. Cyber insurance might also play a part if business email compromise (BEC) or some other form of tech-attack featured in the scam. For professionals whose clients are impacted by financial loss, it may fall to your Professional Indemnity Policy.
More worryingly perhaps, as new ‘failure to prevent’ duties are introduced through local legislative frameworks, it’s likely to place such matters firmly within your Directors’ and Officers’ cover with the potential for criminal charges.
To give both you and your stakeholders confidence that adequate defences against fraud are in place, controls to prevent criminal attack need to be structured and evidenced. They can be risk-based and proportionate, but if challenged, could you demonstrate that is the case for your business?
Our ‘Six Steps to Safety’ will help you address that question. In a new world order where stakeholders and society demand that businesses operate under ESG rules, tolerance for fraud is low. Reassuringly however, focussed attention can have a real and rapid impact.
Six Steps to Safety
Do your fraud and the prevention of financial crime (PFC) strategies address these essentials?
• Thorough risk assessment covering all types of crime risk including legal and regulatory obligations. Fraud features here, but it should also address money laundering, bribery and corruption, sanctions, tax evasion, and financial misconduct.
• Assessments are tailored to each individual business, considering customers, sectors, services, operations and financial transactions, ensuring that any outsourced elements are covered.
• Positive messaging, clear communications, and a learning/no-blame culture.
• Written policies with management leads and identified structures for each risk area.
• Speak-up systems with independent contacts and whistleblowing channels.
• Pull and push of management information to maintain oversight and direction of controls, training and assurance.
• Regular review of controls reflecting changing business environment and obligations.
• Independent investigation of failure incidents and robust close-out loops for improvement actions (See UL1)
• Written procedures defining risk controls across the full scope of risk (See UL2)
• Layered controls to ensure no one individual can operate in isolation.
• Proportionality is key; controls for a £50k or £500k payment are different to one for £5k.
Specifically for the push payment / banking fraud referenced, essential controls we recommend are:
* Never accept changes to bank details by email, phone, message etc. without evidence in support.
* Phone before first time payment, using a trusted number previously used with the payee.
* Instil effective dual authorisation through segregation of duties and independent verification of payment details and history (much more than an unconsidered / automatic sign off).
* Ensure a name match confirmation is given and be wary of banks that don’t have this facility.
* Educate your customers about fraud risks and controls they should apply to avoid it. (See UL3)
* Never accept changes to bank details by email, phone, message etc. without evidence in support.
* Phone before first time payment, using a trusted number previously used with the payee.
* Instil effective dual authorisation through segregation of duties and independent verification of payment details and history (much more than an unconsidered / automatic sign off).
* Ensure a name match confirmation is given and be wary of banks that don’t have this facility.
* Educate your customers about fraud risks and controls they should apply to avoid it. (See UL3)
• Training on PFC for new joiners and returners; regular refresher training; and ad hoc sessions when an incident or something topical arises (using media channels to highlight risks)
• Use eLearning sparingly – our claims experience shows that it does register as effectively as group discussion.
• Educate your customers as they can be the weakest link in the payment chain. Consumers are more likely to use web-based email Apps without MFA, unsecure Wi-Fi, and poor cyber protection opening you up to unprotected email communications. Where transactions are higher risk, advise them what they can expect from you, and which security measures they should have in place (See UL3)
• Inline operational monitoring systems include appropriate fraud/crime prevention checks.
• Regular and risk-based in-house audits covering all crime prevention policies and processes.
• Independent audit or review to assess systems against best practice.
