During the late 2000s, there was a major uproar of account takeover fraud in which online banking systems were hacked or login credentials were compromised. In response, Federal regulators began advising “layers of security”, such as multi-factor authentication, tokens, out-of-band authentications (phone or text) and other protections to mitigate account takeover fraud. With online systems protected, fraudsters moved on to using social engineering or scams to convince account holders to authorize the sending of payments to their fraudulent accounts.

Email, texts and social media messages seem to be the primary vehicle for scams these days and fraudsters are preying on them being primary tools for communications. Business Email Compromise (BEC) has been used to describe circumstances such as: 

  • Individuals having their email system hacked,
  • An unencrypted email intercepted and then spoofed,
  • Stolen email accounts being used to reset online banking passwords, or
  • Sending legitimate-looking emails with links or attachments that will infect your computer or network with malware. 

Today, fraudsters are becoming skilled with using Office products and Photoshop to make convincing-looking invoice attachments to emails. BEC scams usually result in sending of fraudulent ACH Credits or Wire Transfers.

Consumers are at risk too, as they are often peppered with phony emails from merchant imitations, scams regarding family members in trouble, computer repairs, lottery winnings, etc., but they are also very reliant on social media which are full of scams and what people think are legitimate sales of a good or service. 

Remember, it is FREE to create an email or social media account. Additionally, buying a phone with text messaging capabilities, or downloading anonymous texting apps, is easy to do. When your account holders share instructions provided via email, text message or social media message, financial institutions should see that as a red flag immediately and begin asking questions. Ditto for anyone who suddenly needs Person-to-Person (P2P) or Account-to-Account (A2A) transfer services which use ACH or Debit Cards.

How do you mitigate the risk of fraud happening with everyday communications like email, text, phone or social media messages? Here are a few tips:

  1. Advise your account holders to never discuss payments or account instructions via communications that can be intercepted easily, specifically unencrypted email. 
  2. Invest in email encryption if materials must be traded between parties, but always follow up any money-related email with a phone call.
  3. Consider creating unique PIN #s for those verified by phone.
  4. For your phone callbacks, not only verify that the payment is theirs, but how they obtained instructions. If “received by email”, interrogate further. 
  5. Know your customer (KYC), account holder or receiver of the payment. Most payments have a relationship established and can verbally verify payment instructions sent electronically. 
  6. Be perceptive of the “sense of urgency” of your client, such as an account holder who wants something sent ASAP, especially from a deposit that they just received. 
  7. If a financial institution branch receives a request (Wire, for example), ask questions about its purpose. Remember, if something has too many red flags, you may tell them no.
  8. If you have any new receiver alerts or fraud software plugins to your ACH/wire systems, use them to review payments being sent to a newer destination. Ask questions following an alert.
  9. Continually educate and communicate fraud schemes, security risks, social engineering risks and other concerns to your financial institution staff and your account holder base.
  10. Advise account holders that NOBODY should ever call or contact them about their account number or debit card number via phone, email, text, social media or other online inquiries. 

If scams by electronic communications didn’t work, then fraudsters wouldn’t be so reliant on them to fulfill their schemes. A best practice is to create awareness for your account holder base while financial institution members need to perform operations to protect their deposits from risk.

Republished with permission from EPCOR