TD’s answer to a pandemic-driven spike in wire fraud
The banking industry has seen an escalation in fraud attempts involving commercial wire transfers since the coronavirus pandemic began, and is educating business customers and employees about how to spot scammers and establish proper controls to deter them.
Criminals have latched on to the fact that businesses' communication channels and controls around wire transfers have been disrupted with so many people working from home, according to Tom Gregory, manager of treasury management sales at TD Bank. And it's harder to identify phony wire transfers.
"Everything else is unusual — why would this be any more unusual than anything else?" Gregory said in reference to many business activities lately. "And so people are not seeing the red flags that they might see in a normal work environment.”
Other banks and their customers will have to be on guard, too, as the FBI warned in April that it anticipates a rise in business email compromise schemes related to the COVID-19 outbreak. Not that fraud wasn't already a problem.
Indeed, 76% of businesses surveyed by Strategic Treasurer this year said fraud risks had risen in the previous 12 months. And, in a separate survey, 36% of firms said they had experienced an increase in fraud attempts since the shift to a work-from-home environment.
The risks tied to wire transfers conducted from home are greater than in an office because authentication and network security tend to be more lax, said Craig Jeffery, managing partner at Strategic Treasurer.
What worries him most, he said, is that “the bad actors are far more sophisticated and patient, they have better tools and they're automated, and they continue to learn. The threat level continues to systematically increase. And that means that the defense level has to correspondingly increase to combat that.”
The average payout of a successful business email compromise is $130,000, Jeffery said.
Companies try to protect their systems with network security firewalls and encryption as well as training people to not fall for phishing emails, he said. But many organizations don’t lock down their payment processes, leaving them vulnerable to being manipulated and exploited.
The $383 billion-asset TD Bank, the U.S. arm of TD Bank Group in Toronto, has found its share of customers falling for fake wire transfer requests.
In one case, a hacker broke into a Zoom training session at one of TD Bank’s business clients, stole an email address from it and used that to break into the company’s computers with malware and hold it for ransom.
"Thankfully, this company had all their data backed up and told the criminal to go pound sand,” Gregory said. “But Zoom wasn't a thing really until this whole COVID-19 lockdown came upon all of us.”
In other cases, criminals are taking advantage of the fact that so many businesses are shifting to ACH payments now that they can’t deposit checks at bank branches. Fraudsters will call someone in charge of payroll and ask them to stop sending them a paycheck, and instead directly deposit their pay to a bank account.
It’s not hard for fraudsters to impersonate employees in such cases because the person running payroll doesn’t know them anyway and has no way of knowing they’re not talking to the actual employee, Gregory said.
In another case, a human resources self-service site was hacked to siphon money out of a client.
“Criminals are seizing on the fact that people's guards are down and they're dealing with new ways to get things done that haven't really been proceduralized or audited,” Gregory said.
Gregory considers himself an evangelist for prevention of business email compromise and wire transfer fraud.
“We continue to have an insufficient level of awareness and sensitivity to the human element of protecting your company's assets,” he said. “If you look at companies that are sustaining losses from [business email compromise] and hundreds of thousands of dollars and sometimes millions in outgoing wires, and you look at what their IT infrastructure is, you may find that it's fine, well and good. But the loss is sustained because people just aren't suspicious enough or they don't have procedural controls in place.”
Often leaders in a company, like a controller, treasurer or chief financial officer, are duped by a business email compromise attack and believe they are corresponding with an authentic counterparty in their organization or at a supplier.
“During the course of the correspondence, it's, ‘Oh, by the way, I changed the account number you have on your accounts payable file — here's the new information,' ” Gregory said. “And they're smart enough to time that with an upcoming large disbursement and the victim ends up sending a wire to the criminal's account.”
An extra authentication step, such as calling the person who appears to be making the request to make sure it’s really them, would stop some of this.
TD Bank conducts checks to protect people from themselves. It uses positive pay technology, through which business customers send over a file of all their outgoing payments, and the bank checks each payment against that list. It looks for first-time beneficiaries and unusual patterns of behavior.
But everybody has to share the role of risk management, Gregory said.
“When we check with our customer, they feel inconvenienced: that's a perfectly good wire, and I expected you to get it out minutes ago,” he said. “So there is a balance, and we are constantly looking for more ways to do that, with automation, with human eyes and elbow grease. We're applying artificial intelligence to this. But we do require that our customers take care of their own business as well,” by verifying the requester before sending out a wire transfer.
When the bank contacts customers, it reminds them of good security habits, like conducting background checks on employees and checking on wire transfers.
It’s developing online training for customers’ employees to help them understand how to keep their companies’ assets safe. TD Bank employees themselves go through fraud awareness and cybersecurity training. They’re sent test emails to see if they’ll open or click on risky items they shouldn’t; their bosses are sent the results.
“Instilling a culture with that risk awareness is really the duty of every financial practitioner,” Gregory said.