Wire fraud is a federal offense under U.S. law and refers to fraud committed using electronic communications, such as telephone or computer. Unfortunately for financial institutions, wire fraud is on the increase, and not just in the U.S.
Wire fraud has cost the global economy about five trillion dollars over the past ten years. Losses have risen by more than 50% in that same amount of time. Some forms of identity fraud contributing to this are:
- Automated Clearing House (ACH) fraud
- Business Email Compromise (BEC) fraud
- Synthetic Identity Theft (using a combo of real and fake data to create a new identity)
In 2019, the FBI reported 437,361 wire fraud complaints in 2019, with more than $3.5 billion in losses to individuals and businesses. They also claimed that only 15% of wire fraud incidents are reported.
Clearly, given that financial institutions of all types are an attractive target for cybercriminals (Equifax, for example), data breach prevention must be a primary objective.
The Gramm-Leach-Biley Act outlines the requirements necessary for financial institutions (and higher education) to protect consumer’s financial information, limiting the situations where financial institutions are allowed to disclose consumer’s nonpublic personal information (NPI) to non-affiliated third parties. This is achieved primarily by the Privacy Rule, which applies to all businesses that are “significantly engaged” in “financial activities” as defined by Section 4(k) of the Bank Holding Company Act. A fun-filled 101-page read, it clarifies that applicable financial activities could include loan providers, financial services including accountancy, investment companies, debt collection, and of course wire transfer services.
As for the Privacy Rule, obligations differ according to the data handled. Different requirements are necessary for customers (those with an account in that institution) and consumers (those who might, for example, use an institution’s ATM to withdraw cash, without holding an account there. Former customers are classed as consumers.
Where Does The Blame Lie?
Data breaches aside, many instances of wire fraud are caused by customers who fail to spot the social engineering or phishing methods used by cybercriminals. They ultimately end up paying the price for it.
Liability for wire transfer fraud is a hot topic in the financial industry (should victims and banks share the loss?), but in the U.K., banks have a duty of care to refund victims if gross negligence was not involved. Other countries are introducing similar anti-fraud rules for banks. In my opinion, both parties have an obligation to exercise due diligence before transferring funds.
Therefore, the financial institution must perform all (but not limited to) the following activities as part of their commitment to prevent wire fraud:
1. Customer Education
Let’s face it. Not everyone is tech-savvy and many of your customers are unaware of the latest methods used by cybercriminals. Most financial institutions have a dedicated page on their website to inform their customers and recommend the best approach to fraud prevention. They will also include vital contact information for law enforcement etc. if they have identified a problem after funds are transferred. Emphasize the fact that cybercriminals have no scruples as this latest Irish scam proves, one that targets those who lost their jobs because of the Covid-19 pandemic.
2. Data Analysis and Investment
The modern banking industry has mostly progressed from simple rule-based transaction analysis and employ transaction monitoring systems. These systems can identify duplicate transactions, use statistical analysis and classify transactions according to internal processes. Some have even embraced A.I. to identify unusual transactions that require additional verification from the customer. If necessary, invest in the anti-fraud solutions already available for the financial industry.
3. Procedures and Policies
It shouldn’t be needed but still worth pointing out. The ideal wire transfer process needs to be documented and rigorously followed. Is it a good idea for the same person to review and process the same wire transfer? Why not have an editorial process like in publishing to verify that all aspects of the wire transfer are correct before processing. This is especially useful in protecting against payroll transfer and similar scams where funds are diverted to a new account.
4. Set Limits
By assigning limits to the number and value of wire transfer transactions in consultation with their customers or based on transaction history, financial institutions can better protect their customers. Anything outside those limits requires customer verification by phone, for example. SMS notifications are another useful way to inform customers that a wire transfer is in progress or has been made. Customers will not see this as an intrusion or inconvenience but will appreciate that you are protecting their funds.
5. In-house Training
Like any other business, employees of financial institutions must suffer through security awareness training to protect sensitive financial data. In addition, those responsible for wire transfers are coached to identify suspicious requests and pending transactions. Encourage these employees to trust their instincts. It’s better to waste a few minutes verifying the transaction with the customer than process it without checking further.
It’s no harm to audit wire transfers on a regular basis as doing so will identify areas for possible improvement. Perhaps the notification or confirmation process needs optimization? Feedback from employees and customers could help identify new trends or include suggestions to improve the service.
Finally, with wire fraud being a common problem, customers depend on financial institutions to protect them. Given that most financial institutions are targeted by cybercriminals, protection against data breaches is a priority. However, educating customers on possible threats should take equal footing, reducing fraud risk for all involved. How do you inform customers of the latest scams? Do you feel it’s an essential part of operations or something that’s rarely updated or even considered?