With increasing frequency, community banks and other organizations are being targeted by fraudsters who attempt to deceive personnel into wiring funds to an account controlled by the fraudster. While depository institutions have for some time had the benefit of wire transfer fraud coverage available on their fidelity bond, more recent exploits have taken on a complexion that can cause losses that are not covered by this coverage on the bond. Since traditional wire transfer fraud coverage only covers theft that involves a fraudster posing as a customer with a deposit account with the bank, losses perpetrated by those posing as an officer or employee of the bank, or as a vendor, are not generally covered by this extension.
Referred to as "social engineering fraud" or "phishing scams," the typical ruse goes something like this: a criminal will gather information from public sources to create a very legitimate-looking email or fax and send it under the name of a corporate manager requesting that funds be wired for some business purpose. Often, the criminals have come by information that the person they are posing as is out of town and not easily reached to verify the legitimacy of the request. They will also usually indicate a high level of urgency and confidentiality of the nature of the wire and instruct the individual receiving the communication to carry out the transfer immediately and without discussing it with any other party. Only after the wire is completed is it discovered that the request was fraudulent. It is often too late to try to reverse the transfer as the funds are always withdrawn from the receiving account as soon as they are available.
In recent months, most carriers who offer crime and fidelity bonds have begun offering endorsements to their forms that provide some coverage for these types of fraud. Insureds should make sure they fully understand the extent of this coverage and what coverage triggers apply as each offering is somewhat different from the next. Even with this type of extension included in the bond, nothing replaces solid risk management to help identify these exploits and prevent them from occurring in the first place. Below are some steps to take that might help to catch these attempts from resulting in a loss:
- Nothing is more preventative than awareness on the part of your staff. Employees who are authorized to receive and respond to wire transfer requests should be made aware that this type of scam is becoming ever more prevalent. They should be instructed to be diligent in their efforts to confirm legitimate requests, no matter the apparent source of the request. They should be suspicious of any wire request that appears to be out of the ordinary, was unplanned, and is overly cryptic. Wire requests received by any employee who does not normally receive these requests should be viewed with suspicion.
- All expected transactions should be discussed prior to them being carried out with clear details on timing, amounts, parties to the transaction etc. These details should be discussed in person whenever possible. Unexpected, last-minute changes should be viewed with suspicion.
- Emails and other communications originating from unknown sources should be cause for concern, no matter how legitimate they may appear. When wire requests are received via email, the receiver should look at the email address that it is coming from closely and confirm that it is exactly as it appears from a known and trusted address.
- Requests that are conveyed with an undue sense of urgency and request for immediate action should be handled with the utmost care. There should always be a means provided to verify wire requests, regardless of who they appear to be coming from.
- Call back or other verification procedures for all transactions should be employed, especially when those transaction requests are unexpected and involve sources or destinations that are not familiar to the person being asked to act.
While it is imperative that community banks avail themselves of recent enhancements to their bond coverage that may cover social engineering fraud losses and understand exactly how it works, preventing losses of this nature is more important than what coverage may be available. Increasing the awareness of the regularity with which these types of scams are being perpetrated and those steps that can be taken to identify and verify them is the first line of defense for any organization.
Otteson is MBIS vice president of sales. He can be reached at 608-217-5219 or via email.
MBIS is owned and operated by the Wisconsin and Minnesota Bankers Associations and endorsed by the North Dakota Bankers Association. As an insurance agency run by those defending and advocating for banking, you can rest assured MBIS will always have your best interests in mind. As an independent agency, MBIS has access to a variety of insurance providers to help them tailor plans to meet the specific needs of banks.