Banks can leverage their
relationships with clients and empower to better control fraud.
institutions find themselves in difficult positions as a growing
number of their customers are targeted for business takeover attacks. Hackers
gain access to company funds through a variety of manipulations, often tricking
an internal employee to send a wire transfer. Some corporates have ineffective
controls around their bank accounts or make poor decisions when sharing banking
information. Banks are often stuck in the middle. Regardless of its lack of
involvement in a fraudulent transaction, the bank will likely receive the first
call when money goes missing.
Organizations are increasingly concerned about these business takeover threats, according to RSM’s recent Middle Market Business Index Cybersecurity Special Report. The survey found that 64% of middle market executives believe their businesses are at risk of attempted employees manipulation in the coming year, up 9% from the previous year. They are right to be worried: These attacks are growing in popularity with criminals because of their low-tech and low-risk nature, combined with the potential of significant rewards.
Business takeover cases
are simple on the surface, but can have complex details. In one recent example,
a portfolio company from a private equity company sent an email to the PE
firm’s chief financial officer seeking additional funds. A hacker who took
control of the portfolio company’s email sent a follow-up email with the
hacker’s bank account information to receive the fraudulent wire transfer. The
CFO quickly recognized that something was wrong and called the bank. The
company and the hacker used the same bank, which froze the funds. But the
hacker successfully convinced the institution to release the funds and wired
them out of the country.
While banks are not required to encourage customers to adopt stronger protections against takeover threats or modify their own internal processes to identify fraud, some small adjustments can make a big difference to help deter criminals.
Many banks still do not
coach customers on how they can discourage takeover threats, or help them
understand the tools at their disposal. For example, many banks offer two-factor
authentication for wire transfers that customers choose to disable it, creating
unnecessary vulnerabilities. When customers elect to turn off security controls,
banks can intervene and help them understand how why those controls exist.
Coaching can help clients avoid painful experiences.
In addition, banks
should offer security information and training to their clients on a regular
basis to help understand threats and the role the bank plays. Institutions need
more visibility into emerging risks and the behavior and activity that clients
need to avoid. They can use these touchpoints to check on their customers’ status,
improve business relationships and discuss any additional necessary
Many banks utilize flexible core banking systems that can identify high-risk transactions. These platforms feature extensive functionality, but banks often do not use all of the built-in capabilities and sometimes miss questionable transactions in real time. In many cases, they can establish controls to flag suspicious activity.
For example, if a middle
market company that traditionally only does domestic wire transfers sends funds
to Romania, that transaction should stick out like a sore thumb. Perhaps a
company that usually sends wire transfers under $20,000 suddenly sends one for
$60,000. While large banks may not be able to pick up the phone to validate
that transaction, community banks have an opportunity to reach out personally
and provide more value than their larger counterparts.
Obviously, detecting a
fraudulent wire transfer from within the bank is not always this straightforward.
But the institution is often the last point of resistance in these attacks.
Individuals responsible for oversight should review suspicious activity reports
and other notifications of wire transfer fraud regularly to identify criminal
Banks may be able to better control fraud in three ways: confirming transfers with clients, being more conservative with internal fraud detection processes and paying attention for any outlier transactions.
Most banks and many customers have taken steps to improve their internal cybersecurity following high-profile attacks and increased regulatory scrutiny. However, plans to reduce business takeover risks both inside the bank and when guiding customer activities must be adaptable to new threats. Criminals’ methods will constantly evolve to circumvent today’s detective controls and protective measures.
Educating clients about how to avoid and address risks while adjusting internal bank processes can improve operations for both your bank and your clients. A stronger risk environment can increase customer satisfaction, reduce the strain on internal employees tasked to track down lost funds and help you avoid having to guide your customers through the fallout of a criminal hacking.