There is new information regarding a type of Wire Transfer Fraud that we want clients to be aware of, and prepared to defend against.

In the SEC’s report from October 16, “….Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements” (here is a link to the report),  the SEC reports about a company defrauded by impersonated communication from the organization’s vendors.

According to the SEC, the fraud takes place by hacking the vendors email accounts and then proceeds:

After hacking the existing vendors’ email accounts, the perpetrators inserted illegitimate requests for payments (and payment processing details) into electronic communications for otherwise legitimate transaction requests. The perpetrators of these scams also corresponded with unwitting issuer personnel responsible for procuring goods from the vendors so that they could gain access to information about actual purchase orders and invoices. The perpetrators then requested that the issuer personnel initiate changes to the vendors’ banking information, and attached doctored invoices reflecting the new, fraudulent account information. The issuer personnel responsible for procurement relayed that information to accounting personnel responsible for maintaining vendor data. As a result, the issuers made payments on outstanding invoices to foreign accounts controlled by the impersonator rather than the accounts of the real vendors.

Unlike the Business Email Compromise scam, the faked vendor emails had fewer indicators of compromise. Many of the victim organizations only learned they had been scammed when their vendors notified them of delinquent account status.

As a result of this information, we recommend our clients have a thorough review of their Accounts Payable process. Specifically, the following:

  • How to authenticate vendor payment details
  • How to approve changes to vendor payment details
  • When payments are reviewed and audited against a known good master
  • Reviews of account payable systems for manipulation
  • Implement 3-point matching
See also  If You’re Thinking “A Cyber Attack Won’t Happen to Me,” Think Again