Posted February, 16 2017
This ACH Operations Bulletin also provides guidance for financial institutions on some steps that they and their Originators each can take to reduce their respective vulnerabilities to this type of fraud.
SOCIAL ENGINEERING FRAUD
Several recent news articles have highlighted successful social engineering fraud carried out against public-sector entities that have resulted in monetary losses. Each of these reported cases has a similar fact pattern. A public-sector agency or entity, such as a municipal government agency or a public university or college, receives an unsolicited request, purportedly from a valid contractor, to update the payment information for that contractor. The update could be new routing and account information for ACH or wire payments, or a request to change the payment method from check to ACH or wire payments along with routing and account information. In these cases, the update did not come from the contractors themselves but from fraudsters. As described in the articles, the public entities that used the “updated” information actually sent payments to the fraudsters, resulting in losses to the public entities.
Several of the articles further suggest that the funds are being moved out of the country (China is prominently referenced). As most public-sector entities will not have the ability to initiate International ACH Transactions, other means are presumably being employed. For example, after funds are deposited via an incoming ACH credit or wire transfer, they may be subsequently wired out of the country or otherwise withdrawn.
In a statement quoted in an article on January 20, 2017, the FBI characterized one of these cases as business email compromise, and that there is “absolutely no suspicion or indication that this fraud involved the manipulation or compromising of the Automated Clearing House banking transfer system.”
PUBLIC-SECTOR ENTITIES ARE BEING TARGETED
Although any business entity could be the target of this type of social engineering attack, public-sector entities seem to be specifically targeted because their contracting information is typically a matter of public record. Fraudsters use information from such public records to more convincingly impersonate legitimate contractors.
GUIDANCE FOR FINANCIAL INSTITUTIONS AND CUSTOMERS
Financial institutions should consider alerting their business customers to this type of social engineering attack, especially those in the public sector, as well as similar types of entities such private universities and colleges, non-profits, and other nongovernmental organizations (NGOs). Financial institutions and their customers should not consider these types of social engineering attacks solely as hacking, phishing or cybercrime. Parties should know that the vectors for these attacks are not necessarily through Internet-based methods; while some come by email, others come as phone calls, faxes or letters in the mail.
For those entities that make forms available online for contractors to submit ACH or payment information, verification of a change in payment information should not rely solely on contact information provided in such forms. Additionally, entities should consider making such forms available only via secure means, whether online or offline. Entities should take seriously any call they receive from their financial institution questioning the legitimacy of a payment.
Receiving financial institutions may want to review procedures for identifying money mules, as a similar fact pattern may occur with this social engineering fraud. The receipt of one or more large dollar ACH credits or wire transfers into a new account, followed shortly by a withdrawal or a wire transfer order, may be indicative of fraudulent activity, depending on the totality of the circumstances.
These steps are suggestions only; each financial institution, both those that receive and those that send payment instructions, as well as each Originator, should consider the risk management practices best tailored to its individual programs and circumstances.
RESOURCES ON CURRENT FRAUD THREATS AND BUSINESS EMAIL COMPROMISE
Current Fraud Threats Resource Center