Wire transfer fraud due to business email compromises (BEC) has spiked in recent months, according to the latest risk alert from CUNA Mutual Group. BEC typically targets executive-level employees of credit unions and uses their credentials to send urgent requests via email or text for wire transfers. Multiple credit unions have recently reported high-dollar losses to CUNA Mutual Group due to fraudulent wire transfers, according to the risk alert.
“Cybercriminals continue to go to great lengths to commit theft or fraud by manipulating credit union executives and employees using fake, spoofed, or doctored emails, calls, and even virtual meeting scams using deepfakes or digitally-altered recordings,” the risk alert states. “The recent surge of business email compromise (BEC) scams typically request urgent large wire transfers — often exceeding $1 million.”
- Messages create a sense of urgency focused on getting employees to think and act fast.
- Requests typically come from a high-level executive or authority.
- Requests often coincide with being out of the office as the fraudster has accessed calendars.
- Requests suggest that it is important to keep transactions confidential.
- Communication is encouraged to be only through email — eliminating follow-up processes.
- Requests are made to change direct deposit information or for payments to be made to a different account.
- Use of vendor impersonation or compromised vendor accounts as trusted suppliers and business partners to advance their schemes.
Credit union risk mitigation tips
- Confirm the legitimacy of the request by verifying with the C-suite executive.
- Authenticate using a different communications channel (out-of-band authentication).
- Implement dual controls for handling internal wire transfer requests or payments.
- Add an “EXTERNAL” warning in the subject line for incoming emails originating outside of the credit union
- Train staff to be able to identify these types of scams, warning signs and the procedures for handling internal wire transfer requests.
- Avoid using public email accounts when communicating with staff and watch for email domains that may vary such as: ABC1cu.com vs. ABClcu.com.
- Remain alert for urgent wire requests or last-minute changes to wire instructions.
- Establish formal procedures for handling internal wire transfer requests and confirm all requests involving vendors.
- Limit the number of employees granted authority to submit or approve wire transfers.
- Consider removing or not publishing employee information (names, titles, and email addresses) on the credit union’s website.
- Create a culture that allows employees to question the legitimacy of a request outside of policy.
CUNA Mutual Group’s risk alerts, in addition to additional risk-prevention resources, may be accessed in their Protection Resource Center. Log-in is required.
Credit union professionals can also learn more about scams at a webinar, “Risk Forum: Fraud & Scams,” at 2 p.m. on Dec. 6.