Wire Fraud–Don’t Be “Whaled”!
Recently, multiple clients were targeted by fraud rings attempting (and nearly succeeding) to have money fradulently wire transferred. Unfortunately, the use of tools like LinkedIn and public company websites has made it easy for thieves to identify the principals and financial leaders of almost any company and set up this simple email scheme. No hacking is required. This type of targeted email phishing attack has been dubbed “whaling”–it goes after the big fish.
In “whaling,” a fraudster sets up a fake email account that appears to be that of the owner, CEO, or president of a company. The email may also include a URL address that closely resembles the URL of the company. An email is sent from the “boss” to the controller or CFO mid-day claiming to have a need for an urgent wire transfer. It preys on subordinates desire to be helpful and responsive. If the money is sent by wire, there is almost zero chance of recovery, so avoidance is critical.
The types of attempts have been different in the nature of the transfer:
Type 1: The fraudster was requesting an international wire transfer for >$200,000.
Type 2: The fraudster was requesting a domestic wire for roughly $9,500 (below the $10K regulatory reporting threshold).
In both types, the internal controls that protected the company are the same:
- Require dual authentication (an old fashioned phone call to the boss) to authorize any wire transfer to a new vendor or payee. It’s simple, yet highly effective in stopping this type of theft.
- Train all employees with banking access on typical fraud techniques and how to flag them.
Implementing these two controls is a small investment to protect your cash, stay in business, and do a little real fishing to “catch us up a little catfish dinner!”