Fraudsters Today Part Two: 5 More Fraud Types to Watch Out For
-
bookmark
-
print
- Keywords:
- fraud
Today's fraudsters are exceptionally thorough and can use the information they gain to trick companies of all types and sizes. The second part of this series focuses on five additional not-so-common but equally harmful fraud types that are also affecting our clients today.
1. CEO Fraud
It was near the end of the day when the CEO’s assistant received an urgent request from the CEO to process a wire transfer to close a deal he had been working on for months. The email appeared to be legitimate and written in the same manner as other communications between the two. Considering it was the end of the day and the request was urgent, the assistant worked diligently to process the wire transfer.
The next day the assistant congratulated the CEO on closing the deal and confirmed she had processed the payment. At that moment, the CEO realized his email account was compromised.
The fraudster was closely studying the CEO’s email communications and was aware of a deal the CEO was working on for some time, which allowed the fraudster to imitate the CEO’s communication style.
Prevention Tips
- Develop a manageable approval process: Create one that ensures all approvals are met before wire transfers are initiated.
- Require verbal approvals: For large wire transfers, request verbal approval or confirmation.
- Establish documentation requirements: Require proper documentation and approvals for all wire transfers.
- Verify purchase orders: Ensure all wire transfers are associated with an actual purchase order in your accounting system.
Prevention Tools
- Antimalware and anti-spam programs: These programs can help stop certain emails at the email gateway.
- Email security technology: Scan and filter emails in realtime to block users from opening suspicious attachments or clicking on links that may be malicious.
- Antiimpersonation software: Identify potential CEO fraud attacks by scanning the header and content of email for the signs of malwareless, social engineering techniques often used in these attacks.
2. Corporate Card Fraud
While browsing a travel site to find a good deal on a flight for a business trip, an employee clicked on an advertisement and landed on a website that offered deals too good to be true. Convinced he was saving the company money, the employee purchased a ticket using his corporate credit card and other personal information. Within days, the credit card company flagged abnormal activity on his account. His corporate card had been compromised on the fraudulent travel site.
Prevention Tips
- Don’t share: Never share card information unless you’ve verified the request is legitimate.
- Use chipand-PIN cards when possible: The encrypted microchip is difficult to counterfeit and there are no signatures that can be forged.
- Monitor your credit card activity: Run reports that show detailed transaction information to monitor card spend.
Prevention Tools
- Use transaction monitoring software: This will help alert you about activity outside your regular norm.
3. Deepfake Audio Fraud
An employee received a phone call from her CEO, or so she thought. It appeared to be from his mobile number and it sounded just like him. The person asked her to urgently wire transfer funds for a business transaction he was working on. She followed the detailed instructions and prepared the transfer.
After the fraudster called again, from a number outside the country this time, the employee called the CEO directly and learned he was not the one who called requesting the wire transfer.
Prevention Tips
- Verify the request: Immediately call the executive back at their official number, or use faceto-face conferencing options where available.
- Ask a “testing” question: Challenge the caller with a question only the real executive would know the answer to.
- Use a “code” question and answer: Establish a secret code word or answer as part of your standard procedure for handling oneoff payment requests.
Prevention Tools
- Multifactor authentication: Most attacks are combined with other social engineering techniques that can be prevented—or, at least, mitigated—with solid identity and access management (IAM) solutions.
- Artificial intelligence: Purchase AI systems that can automate deepfake detection to help tackle risks such as identity fraud.
4. Internal Fraud
An accounting manager had racked up significant debt. He then realized his team shared login details to process payments when colleagues are out of the office. He logged in as his colleague and requested issuing a check to a fake supplier, then logged in as himself and approved it. When the fraud wasn’t discovered and he realized how easy it was to do he did it again and again.
Prevention Tips
- Educate employees on risk and security awareness: This includes safeguarding passwords and other confidential info, never leaving a computer with information on the screen, how to report suspected fraud, etc.
- Complete background checks: Use rigorous preemployment screening.
- Separate the duties of payment creation and approval: One person enters the payment details and another, or two, OKs the payment’s release.
Prevention Tools
- Ombudsmen: Allow employees to anonymously report any suspicious or unethical activity.
- Security Protocols: Create robust security protocols like security clearance for employees, protection of assets, internal and external audits, and computerized control systems.
- Hack your system: By doing a lunchand-learn with your employees and have them discover the holes in your processes.
5. Port-Out Fraud
A woman received a text message on her company phone purporting to be the mobile service provider, informing her that it had received a request to send her number to another carrier and asking her to contact them via a link. Without hesitation, she clicked on the link and was redirected to a website she did not recognize. She closed the site and deleted the text message without taking further action, but the damage was already done. The fraudster now possessed her work phone number and would proceed to steal and change all her passwords.
A few hours later, she noticed her phone had lost service. After calling the mobile service provider, she was told her account had been canceled and that if she wasn't the one who did it, then she had become a victim of port-out fraud (that is, unauthorized switching of mobile carriers).
Prevention Tips
- Security PIN: Add a security PIN to your account.
- Use twofactor authentication: If your cell phone carrier allows, sign up for dualfactor authentication (not always the same as an account PIN or passcode) upon logging into your account.
- Use obscure answers: If your carrier uses security questions for logging in, such as “What street did you grow up on,” try to use obscure answers fraudsters won’t be able to find out in a simple address directory search.
Prevention Tools
- Ask your wireless provider about portout authorization: Every major wireless has some sort of additional security for accounts or for portout authorization that customers can set up, such as a unique PIN or a verification question.
- Don't link your mobile number to online accounts: Once hackers steal your phone number, they can leverage it to reset the password on any online account that’s linked to the number. In many cases, this bypasses twofactor authentication.
8 Common Fraud Tips
- Educate yourself about common scams
- Monitor against insider threats
- Ensure employees are aware of security best practices
- Back up data off-site
- Restrict administrative rights
- Secure against business email compromise
- Install and update antivirus software
- Talk to your bank about the fraud mitigation services they offer
Today's fraudsters are exceptionally thorough and can use the information they gain to trick companies of all types and sizes. The second part of this series focuses on five additional not-so-common but equally harmful fraud types that are also affecting our clients today.
1. CEO Fraud
It was near the end of the day when the CEO’s assistant received an urgent request from the CEO to process a wire transfer to close a deal he had been working on for months. The email appeared to be legitimate and written in the same manner as other communications between the two. Considering it was the end of the day and the request was urgent, the assistant worked diligently to process the wire transfer.
The next day the assistant congratulated the CEO on closing the deal and confirmed she had processed the payment. At that moment, the CEO realized his email account was compromised.
The fraudster was closely studying the CEO’s email communications and was aware of a deal the CEO was working on for some time, which allowed the fraudster to imitate the CEO’s communication style.
Prevention Tips
- Develop a manageable approval process: Create one that ensures all approvals are met before wire transfers are initiated.
- Require verbal approvals: For large wire transfers, request verbal approval or confirmation.
- Establish documentation requirements: Require proper documentation and approvals for all wire transfers.
- Verify purchase orders: Ensure all wire transfers are associated with an actual purchase order in your accounting system.
Prevention Tools
- Antimalware and anti-spam programs: These programs can help stop certain emails at the email gateway.
- Email security technology: Scan and filter emails in realtime to block users from opening suspicious attachments or clicking on links that may be malicious.
- Antiimpersonation software: Identify potential CEO fraud attacks by scanning the header and content of email for the signs of malwareless, social engineering techniques often used in these attacks.
2. Corporate Card Fraud
While browsing a travel site to find a good deal on a flight for a business trip, an employee clicked on an advertisement and landed on a website that offered deals too good to be true. Convinced he was saving the company money, the employee purchased a ticket using his corporate credit card and other personal information. Within days, the credit card company flagged abnormal activity on his account. His corporate card had been compromised on the fraudulent travel site.
Prevention Tips
- Don’t share: Never share card information unless you’ve verified the request is legitimate.
- Use chipand-PIN cards when possible: The encrypted microchip is difficult to counterfeit and there are no signatures that can be forged.
- Monitor your credit card activity: Run reports that show detailed transaction information to monitor card spend.
Prevention Tools
- Use transaction monitoring software: This will help alert you about activity outside your regular norm.
3. Deepfake Audio Fraud
An employee received a phone call from her CEO, or so she thought. It appeared to be from his mobile number and it sounded just like him. The person asked her to urgently wire transfer funds for a business transaction he was working on. She followed the detailed instructions and prepared the transfer.
After the fraudster called again, from a number outside the country this time, the employee called the CEO directly and learned he was not the one who called requesting the wire transfer.
Prevention Tips
- Verify the request: Immediately call the executive back at their official number, or use faceto-face conferencing options where available.
- Ask a “testing” question: Challenge the caller with a question only the real executive would know the answer to.
- Use a “code” question and answer: Establish a secret code word or answer as part of your standard procedure for handling oneoff payment requests.
Prevention Tools
- Multifactor authentication: Most attacks are combined with other social engineering techniques that can be prevented—or, at least, mitigated—with solid identity and access management (IAM) solutions.
- Artificial intelligence: Purchase AI systems that can automate deepfake detection to help tackle risks such as identity fraud.
4. Internal Fraud
An accounting manager had racked up significant debt. He then realized his team shared login details to process payments when colleagues are out of the office. He logged in as his colleague and requested issuing a check to a fake supplier, then logged in as himself and approved it. When the fraud wasn’t discovered and he realized how easy it was to do he did it again and again.
Prevention Tips
- Educate employees on risk and security awareness: This includes safeguarding passwords and other confidential info, never leaving a computer with information on the screen, how to report suspected fraud, etc.
- Complete background checks: Use rigorous preemployment screening.
- Separate the duties of payment creation and approval: One person enters the payment details and another, or two, OKs the payment’s release.
Prevention Tools
- Ombudsmen: Allow employees to anonymously report any suspicious or unethical activity.
- Security Protocols: Create robust security protocols like security clearance for employees, protection of assets, internal and external audits, and computerized control systems.
- Hack your system: By doing a lunchand-learn with your employees and have them discover the holes in your processes.
5. Port-Out Fraud
A woman received a text message on her company phone purporting to be the mobile service provider, informing her that it had received a request to send her number to another carrier and asking her to contact them via a link. Without hesitation, she clicked on the link and was redirected to a website she did not recognize. She closed the site and deleted the text message without taking further action, but the damage was already done. The fraudster now possessed her work phone number and would proceed to steal and change all her passwords.
A few hours later, she noticed her phone had lost service. After calling the mobile service provider, she was told her account had been canceled and that if she wasn't the one who did it, then she had become a victim of port-out fraud (that is, unauthorized switching of mobile carriers).
Prevention Tips
- Security PIN: Add a security PIN to your account.
- Use twofactor authentication: If your cell phone carrier allows, sign up for dualfactor authentication (not always the same as an account PIN or passcode) upon logging into your account.
- Use obscure answers: If your carrier uses security questions for logging in, such as “What street did you grow up on,” try to use obscure answers fraudsters won’t be able to find out in a simple address directory search.
Prevention Tools
- Ask your wireless provider about portout authorization: Every major wireless has some sort of additional security for accounts or for portout authorization that customers can set up, such as a unique PIN or a verification question.
- Don't link your mobile number to online accounts: Once hackers steal your phone number, they can leverage it to reset the password on any online account that’s linked to the number. In many cases, this bypasses twofactor authentication.
8 Common Fraud Tips
- Educate yourself about common scams
- Monitor against insider threats
- Ensure employees are aware of security best practices
- Back up data off-site
- Restrict administrative rights
- Secure against business email compromise
- Install and update antivirus software
- Talk to your bank about the fraud mitigation services they offer
The second part of this series focuses on five additional not-so-common but equally harmful fraud types that are also affecting our clients today.
PART 1
Fraudsters Today Part One: 6 of the Most Common Fraud Types
June 22, 2020 | Manage Cash Flow, Addressing Covid 19
It’s no surprise that fraudsters are actively trying to infiltrate networks at an alarming rate. It’s common for fraud and cybersecurity …
Related Insights
Tell us three simple things to
customize your experience
Banking products are subject to approval and are provided in Canada by Bank of Montreal, a CDIC Member.
BMO Commercial Bank is a trade name used in Canada by Bank of Montreal, a CDIC member.
Please note important disclosures for content produced by BMO Capital Markets. BMO Capital Markets Regulatory | BMOCMC Fixed Income Commentary Disclosure | BMOCMC FICC Macro Strategy Commentary Disclosure | Research Disclosure Statements
BMO Capital Markets is a trade name used by BMO Financial Group for the wholesale banking businesses of Bank of Montreal, BMO Bank N.A. (member FDIC), Bank of Montreal Europe p.l.c., and Bank of Montreal (China) Co. Ltd, the institutional broker dealer business of BMO Capital Markets Corp. (Member FINRA and SIPC) and the agency broker dealer business of Clearpool Execution Services, LLC (Member FINRA and SIPC) in the U.S. , and the institutional broker dealer businesses of BMO Nesbitt Burns Inc. (Member Canadian Investment Regulatory Organization and Member Canadian Investor Protection Fund) in Canada and Asia, Bank of Montreal Europe p.l.c. (authorised and regulated by the Central Bank of Ireland) in Europe and BMO Capital Markets Limited (authorised and regulated by the Financial Conduct Authority) in the UK and Australia and carbon credit origination, sustainability advisory services and environmental solutions provided by Bank of Montreal, BMO Radicle Inc., and Carbon Farmers Australia Pty Ltd. (ACN 136 799 221 AFSL 430135) in Australia. "Nesbitt Burns" is a registered trademark of BMO Nesbitt Burns Inc, used under license. "BMO Capital Markets" is a trademark of Bank of Montreal, used under license. "BMO (M-Bar roundel symbol)" is a registered trademark of Bank of Montreal, used under license.
® Registered trademark of Bank of Montreal in the United States, Canada and elsewhere.
™ Trademark of Bank of Montreal in the United States and Canada.
The material contained in articles posted on this website is intended as a general market commentary. The opinions, estimates and projections, if any, contained in these articles are those of the authors and may differ from those of other BMO Commercial Bank employees and affiliates. BMO Commercial Bank endeavors to ensure that the contents have been compiled or derived from sources that it believes to be reliable and which it believes contain information and opinions which are accurate and complete. However, the authors and BMO Commercial Bank take no responsibility for any errors or omissions and do not guarantee their accuracy or completeness. These articles are for informational purposes only.
Bank of Montreal and its affiliates do not provide tax, legal or accounting advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction.
Third party web sites may have privacy and security policies different from BMO. Links to other web sites do not imply the endorsement or approval of such web sites. Please review the privacy and security policies of web sites reached through links from BMO web sites.
Please note important disclosures for content produced by BMO Capital Markets. BMO Capital Markets Regulatory | BMOCMC Fixed Income Commentary Disclosure | BMOCMC FICC Macro Strategy Commentary Disclosure | Research Disclosure Statements