Last week, the U.S. subsidiary of Japan’s largest financial media organization, Nikkei, made headlines for the reason that no firm ever wants: The company was the victim of financial fraud to the tune of $29 million via a wire transfer gone bad.
Details are still emerging, but what is known thus far is that the transfer took place sometime in late-September, and was based on “fraudulent instructions by a malicious third-party who purported to be a management executive of Nikkei,” according to a statement by the company.
Some of the information coming out of the Nikkei situation — David Barnhardt, chief experience officer at GIACT, told Karen Webster — is pretty head-turning. The amount of money stolen is certainly a big hit. Yet, what is unusual is the fact that the fraudsters didn’t just imitate a management executive in a phishing email, but physically emulated the sound of his voice over the phone.
“I don’t want to applaud [the fraudsters] — far from it. Our job is to stop them. But you almost have to give them kudos for actually moving to foil voice biometrics. That is pretty slick. Just not in a good way,” Barnhardt said.
However, it is because of such unique details combing this story that it is getting international attention. These kinds of incidents — unlike other types of frauds and breaches that must be reported — will often be taken as treasury losses, and may never be publicly disclosed. The learning opportunity here, as well as with other “canaries in the coal mine” dropping all over the world, is all the ways in which an ounce of prevention is worth a ton of cure when it comes to fraud.
Once the fraud has started, and the funds in motion, the lesson is that it’s probably too late.
“The question everyone should be asking themselves is who is building proactive security solutions instead of relying on reactive ones, so that the fraud stops before it starts,” he said.
An Under-Reported Problem
Fraudsters, as the recent headlines have indicated, can be clever. While most don’t quite go to the lengths that the Nikkei fraudsters did, business email phishing scams make up a lot of what GIACT talks about with its clients. They are a top-of-mind fear because they are so prevalent and damaging when successful.
The bigger the enterprise, he noted, the harder to defend.
Smaller companies that work with a small set of, say, 10 to 15 suppliers know everyone to which they are transmitting funds well enough to send them a Christmas card every year. When one is working with 10,000 suppliers, Barnhardt told Webster, that kind of person-to-person (P2P) familiarity isn’t possible. That’s what creates an opening for criminals to commit impersonation fraud — the buyer isn’t familiar enough with the supplier's individual details to spot irregularities.
Moreover, if one wants to steal a lot of money, large enterprise-level transactions are the way to go because high-value wire transfers won’t stand out as unusual by themselves.
“There are certain companies where it would not be uncommon to see $100 million in wires between two entities,” Barnhardt explained. “What people often don’t understand about the wire is that a lot of money moves through there. A $29 million transaction is large, but it is also a very normal transaction for a lot of very large companies.”
A space where many high-value transactions happen between parties, with a limited ability to authenticate each other, is an unsurprisingly popular target for fraudsters. While that can be daunting, it’s not impossible to stop before the damage is done. In fact, he noted, GIACT has three steps that it advises every client to take, no matter what they do or how many transactions they make.
First, validate the email that made the request. Second, validate the payment account requested. Third, verify directly (or in-person, if at all possible) that they are actually making this request.
The first step, he noted, can happen in the background with technology. Did the email come from the right server — i.e. one associated with the company for which they work — or from some random server on the other side of the world? Does the contact information given match the contact information of the firm from which they claim to be contacting?
The same idea goes for the second step: Does the payment account match one that the firm has paid before? Is the account long-established or relatively new? There is a lot of data that GIACT and similar security firms gather from the background, meant to determine if the email looks right — once one digs past the surface-level information in the sender line. When that data doesn't sync up right, odds dramatically increase that the transfer request is not legitimate.
The third step is the simplest.
“I almost hate to say this in the digital age, but pick up the phone,” he said. “If you have a number for someone, especially if they are within your own organization. The fraudster is often counting on the fact that, in [a] business context, if it just look[s] right, people won’t take that extra step and double-check that the request makes sense.”
While those losses aren’t as dramatic as what Nikkei lost in late-September (more or less, in a single shot), they are nothing to sneeze at either, Barnhardt told Webster. By his estimate, the type of wire fraud that tripped up Nikkei is a problem worth “hundreds of millions of dollars each year” that is going under-reported.
The U.K. has had instant (or immediate) payments in place for over a decade. Recently, the U.K. announced it is looking to ramp back that speed some for certain types of transactions. The first time a consumer sends someone else an instant payment, that payment will be held for 24 hours — just in case there is a need to claw something back.
“What that tells me,” Barnhardt said, “is that there is a big challenge, and should be our canary in the goal mine in the U.S. about just how tricky things can get when payments become instant and irrevocable. Sounds great when the right person gets the funds, not so good when the wrong one does.”
If we learn nothing else from this week, it is that fraudsters don’t sleep on innovation. They’ve been coming up with ways to combine biometric voice hacking and email phishing schemes to pull up a $29 million fraud in a rather sophisticated global enterprise.
“If I were a voice biometrics security firm today, I’d be sitting up, taking notice and then figuring out how to get ahead of this, because the criminal want[s] to get ahead of them,” he said.
There aren’t easy answers, but there are better tactics. GIACT’s newest tool regularly updates the personally identifiable information (PII) on its clients' customers to reflect big, relevant changes to their profiles — they’ve moved, they’ve died, they’ve legally changed their name, etc. That alone can flag what might otherwise go undetected, or detected too late in the flow.
Fraudsters will keep on thinking bigger. Beating them back, Barnhardt noted, will be about thinking ahead, and being at vulnerable targets they favor before the attacks begin.