| Companies are under attack. The FBI reports that internet-enabled theft, fraud, and exploitation accounted for a stunning $2.7 billion in financial losses in 2018 alone, almost double the loss amount for 2016.
This problem is systemic and defies easy solutions. To date, most proposed solutions have focused on the responsibility of companies to improve their computer security and their accounting and business processes to prevent certain types of fraud. However, these solutions alone have not proven sufficient to the challenge.
It’s now time for financial institutions to start considering how they might help prevent these kinds of frauds.
From Email to Deep Fakes
One of the most prevalent and costliest forms of fraud facing companies of all sizes today comes from business email compromise attacks.
Criminals can gain access to an email account through a host of computer intrusion techniques. Once inside the account the attackers typically look for emails describing payments due or owed to the email account holder. The attacker then takes control of the email account, inserts themselves into the conversation about the payments due, and demands prompt payment to a new account number – an account controlled by the hacker.
Seth Berman
One twist that makes this crime particularly difficult for a company to address on its own – often the company whose email accounts were penetrated is not the company that is defrauded. This happens when the attacker uses information in the penetrated email account to target a third party who owes money to the hacker’s initial victim, typically by pretending to be that victim. If the hacker succeeds, the third party transfers money into an account controlled by the hacker, which the hacker quickly removes before anyone realizes the theft or has had time to freeze the fraudulent account.
Indeed, even if all email accounts were perfectly secured, this type of fraud would not be stamped out.
The CEO of a UK-based energy company was recently under the impression he was answering a telephone call from his boss, the CEO of the company’s German parent, asking him to wire nearly $250,000 to the account of a supplier. He claims he recognized his boss’s subtle German accent and the melody of his voice, so he sent the funds. It turns out he was speaking to a fraudster using artificial intelligence voice technology to mimic the executive’s voice and speech cadence.
It’s unclear whether the attackers stitched together snippets of audio from available recordings of the executive’s speech patterns or used voice-generating technology to reproduce his voice. If it was the latter, many are citing this as a first-of-its-kind AI-based deep fake telephone attack. In either case, this form of attack goes beyond the detection capabilities of traditional cybersecurity tools. Indeed, when coupled with commercially available technology that generates increasingly-convincing deep fake videos, it is easy to see how impersonation attacks may quickly become the next wave of cybersecurity threats.
What Can Banks Do?
The near-constant onslaught of headlines detailing successful, often high-profile business email compromise attacks has companies of all sizes scrambling to ensure that they stay one step ahead of the next would-be attacker.
A quick review of industry publications like this one reveal that there is a standard set of procedures that companies are advised to implement to help avoid these frauds.
For starters, they can create intrusion detection system rules that flag suspicious emails with the goal of limiting the effectiveness of spear-phishing or spoofing attacks and prevent attackers from accessing their systems in the first place. On the back end, firms that receive email requests for funds can closely scrutinize each request that they receive and can insist on multi-factor authentication, including telephone confirmations, for changes in vendor payment information.
James Gately
Taken together, these front- and back-end strategies are a good start. But it’s clear that even they may have not been enough in the matter described above.
As payment processors, financial institutions have, in certain cases, remained a silent and unwitting facilitator of many fraudulent transfers that follow business email compromise attacks. The primary obligation to detect potentially nefarious activity does and will remain with a financial institutions’ clients. But the rise of fraudulent transfers presents an attractive value proposition opportunity for banks that are willing to act as a gatekeeper for clients and their customers in processing transfer requests.
For instance, financial institutions can put into place more thorough checks to confirm the validity of wire transfer recipient information before funds are transferred. If Company A intends to wire Company B funds, a red flag may be raised if the funds are slated to be wired to an account that is not in Company B’s name.
Similarly, banks might consider putting a brief hold on large wire transfer payments to off-shore accounts unless their customers are aware that the money is going overseas. Or, if Company A routinely wires Company B funds, and suddenly directs the funds to a new account, a financial institution could step in to scrutinize the wire transfer recipient information to confirm its legitimacy and ensure that the client intends to send to this new address.
Many of these steps may also be relevant factors in assessing the reasonableness of a financial institution’s actions in executing a transfer instruction and/or in apportioning liability between a financial institution and its customer in a dispute.
Financial intuitions have implemented Know Your Customer procedures to reduce money laundering and other illegal activities. It’s now time for banks to increase their scrutiny of wire transfer recipients to avoid becoming unwitting participants in this new and ever-growing type of fraud. The financial and real-world consequences of ignoring this growing problem suggest that there is no time to waste.
Seth P. Berman leads Nutter’s privacy and data security practice group and is a member of the firm’s white collar defense practice group. James W. Gately is an associate in Nutter’s litigation department and a member of the firm’s business litigation practice group.
