Fraudsters impersonating known, trustworthy friends, family, and colleagues is nothing new. Yet, in PCBB’s vast experience, this is the first case where the fraud is against the bank itself, not a bank’s customer. Just this spring, two of PCBB’s customers contacted our operations team with a similar story: an employee’s account had been hacked, resulting in two fraudulent email requests for large wire transfers that were then processed.To protect their privacy, we are simply referring to the institutions involved as “Bank A” and “Bank B.” Curiously, both incidents occurred on the same day and the amounts of the wire transfers were also very similar — $950K and $2.95MM for Bank A, $950K and $2.35MM for Bank B.We have spoken with an executive at Bank A as well as our own operations team about the incidents to gain insights about how each situation unfolded that can help our readers identify similar threats at their own institution and stop them before any harm is done.How a Compromised Employee Account Led to Fraudulent WiresWhen PCBB’s operations team first received two large wire requests from each Bank A and Bank B via PCBB’s Correspondent Bank Connection platform, PCBB made phone calls back to each bank. The CFI employees submitting the wires confirmed that the requests were made by them and ready for PCBB to process. Unbeknownst to the wire teams at Bank A and Bank B, the wire transfer requests that seemed to come from colleagues were actually being sent by fraud actors who had compromised their coworkers’ accounts.With each sending bank’s approval, the wires were set in motion. “The wires for over $2MM went to the same bank, and the wires for $950K both went to a second bank,” said Julie Wild-Farrell, PCBB’s SVP of Operations. “So, there were two different banks in Hong Kong involved in the four wire transactions.” Both wires for $950K were processed, but the receiving correspondent bank of the two larger transactions had suspicions. The correspondent sent PCBB a message through the Swift network asking for more information, as the beneficiary’s name and account number did not match what was on file at the receiving bank in Hong Kong. Once the receiving correspondent bank in Hong Kong set off alarm bells, PCBB contacted Bank A and Bank B about the Swift messages requesting them to verify the beneficiary info. Upon closer inspection, both Bank A and Bank B realized that the wires they processed on behalf of their colleagues were likely fraudulent. When Bank A and Bank B each alerted PCBB that the wires were indeed fraudulent, PCBB’s operations team got to work flagging the wires in the Swift system in an effort to stop the transactions from being processed. Ultimately, PCBB was able to recover each wire that was over $2MM. As of right now, Bank A and Bank B are still missing the funds of the $950K wire transfers.The Work Behind the ScenesIn Bank A’s case, when it was discovered that the wires were fraudulent, the fraud actor had already been using the two compromised email accounts for a week. One account that was compromised belonged to an employee with wire authority and had been used to send the two fraudulent wire requests within that time period. A second account without wire authority was used to send 500 phishing emails. As it turns out, the operations department at Bank A had been questioning the wires and emailing back the person who requested them to verify that the wires were approved to send. Unfortunately, the fraudulent actor had been prepared for this. They had set up rules in that employee’s email inbox to delete all incoming messages related to the wire requests. The fraud actor then went into the deleted emails and answered the operations team’s emails, posing as the bank employee to assure them that the requests were legitimate, ensuring that the wires would be sent out. The Importance of Having a PlanWhile no institution ever wants to have to pull the trigger on its fraud reaction plan, it’s an invaluable tool that your CFI needs to have. The executive at Bank A emphasized how helpful it was that their team had practiced the plan before. “I was grateful that between us and our executive team, we had a solid response plan, knew what to do, who to call,” they said. “Nobody wants to practice, but it is very important to practice this. You don’t want to be in the middle of this and not have this well-rehearsed.”As far as establishing company-wide plans of action, their advice was similar. “Train and train and train with your teams. When a cyberattack hits, that is not the time you want to be training. You want to hit the ground running.” Case in point: Upon learning that the wires were fraudulent, the executive we spoke with at Bank A began the complex process of notifying all the necessary parties to help resolve the fraudulent wires and prevent any further requests. Here are the steps they completed to help investigate the incident within that same day:
- Shut down wire department and put in callbacks on all internal wire requests to identify any other possible fraudulent wires
- Notify their correspondent, PCBB, that the wires were fraudulent
- Notify Chief Technology Officer to begin an investigation and scrub any compromised systems
- Notify Chief Risk Officer to file a suspicious activity report
- Begin filling out IC3 report with FBI, who then instructed them to fill out a police report in Hong Kong
- Notify insurance carrier
- Notify rest of executive team
Starting the following day, Bank A had a long series of daily meetings with their IT department. The company initiated an enterprise network password reset and got in touch with cyber counsel. Tips for Preventing Fraudulent WiresWhile the full details of how the fraud actors were able to access the employees’ accounts are still under investigation, here are some tips to help other CFIs avoid a similar situation.
- Verify with phone calls, no matter how well you know the sender. If a request for a wire transfer lands in your inbox and it’s for a large amount, an unusual amount for that recipient, or something else seems wrong, it’s time to pick up the phone and confirm with the sender. “You absolutely need to talk to the person who sent you the email. And if not that person, their boss,” advised Wild-Farrell. For a wire request from an external party, be sure to only reach out to the sender’s company through the information you have in your company’s contact system, not the number or email listed on the possible fraudulent email.
- Turn off web access to your CFI’s email. While it might be convenient to allow employees to access email through the internet, doing so can open your CFI to hacking threats. Bank A revealed that webmail may have been how the fraud actors were able to gain access to two employees’ accounts. “I would recommend everyone consider shutting down web access ASAP.”
- Don’t assume your institution is impenetrable. Many IT professionals will recommend steps like creating strong passwords that are regularly changed or setting up multi-factor authentication (MFA). While these are solid strategies and tools that can help protect your institution and make it harder for fraud actors to infiltrate your systems, they aren’t a guarantee. “Don't think that because you have MFA, you're safe. You're not,” the executive at Bank A warned. “They were able to replicate and bypass MFA. What we're finding out today is that Microsoft MFA is not impenetrable.” They also mentioned that fraud actors are using phishing kits to target and break through security in well-known programs and applications. Although Bank A had geofencing in place to prevent anyone outside of the US from gaining access, the fraud actor masked their IP to appear as if it was from within the US.
- Practice good email hygiene. The exec at Bank A provided more insight into the risks of having sensitive info in your email inbox. They suspect that keeping their wire procedures and forms in email is how the fraud actor was able to replicate every step of their internal wire process, from using their internal form to using the requestor’s signature. Bank A’s advice was not to use your email inbox as a repository for everything, adding that they’re now adding email hygiene to their training practices to ensure staff aren’t circulating info that could be helpful to hackers. Bank A recommended providing links to files instead of attaching copies.
- Prioritize protecting your customer. It’s not an easy choice to decide between providing efficient service and safeguarding your customers, but it’s sometimes a necessary one. “The hard part is balancing really awesome customer service and protecting our customer and ourselves,” explains Wild-Farrell. “We want to get that wire sent out as soon as possible, but I’d rather have a customer upset that we held something for an hour and a half while we waited for a phone call back. I would always err on the side of not hitting approve and send until I know for sure that the wire is good to go.”
- Forward suspicious emails, even from within your organization. If you receive an email from someone you know, including a vendor, customer, or coworker that looks unusual to you or has a secure attachment, do not click on the links or the attachment. Instead, forward the email to your IT team and have them review the email to confirm whether it’s safe.
- Have a special procedure for wires over a certain amount. Having checks and balances is important. Discuss with your executive team setting up verification processes for transactions of different thresholds, such as $10K, $100K, or $250K, and the extra steps you can take to confirm that the transactions are legitimate and that there are no mistakes made in the information entry before processing.
Some final advice from Bank A to fellow CFIs is that although there are natural qualms about questioning your colleagues’ requests, it’s a necessary step to keep your CFI safe. “We can't be complacent because we all know each other. It's not feasible. You have to make callbacks. You have to treat it like it's external.”
