The Dual-Factor Human Process That Blocks Wire Fraud

Imagine if, today, your business’ billing department received a message from one of your primary vendors. Its branding is flawless and the one is both professional and polished. It states that your vendor has changed banks, and they are requesting that your upcoming invoice should be wired to a new routing number. Would your accountant know better than to accept this email at face value, or would they be suspicious of this type of message?

The unfortunate reality of the situation is that many accountants wouldn’t think twice before wiring the money. Business email compromise attacks like the one described here are convincing enough to trick just about anyone, and you need measures in place to prevent them. That goes for both your security infrastructure and your human infrastructure.

What Does BEC Look Like?

Most business email compromise attacks aren’t random mass emails. They are targeted, calculated efforts that unfold in three distinct stages.

First, the hacker compromises a vendor’s email security in the weeks leading up to the attack. They then use an automated script to set up forwarding rules to monitor ongoing billing conversations. They wait for the exact moment an invoice is generated, then strike. The hacker will set up a domain that looks near-identical to the vendor’s real domain, perhaps changing one or two letters or characters that might be missed easily by the human eye.

Once they’ve copied the real invoice and edited the banking details, they send it from the spoofed account. This email will include a subtle sense of urgency, a small nudge to get the employee receiving the message to take action without thinking too hard about it. The rest is history. It’s not a particularly advanced attack, but it’s dangerous all the same.

How to Protect Against BEC with Dual-Factor Human Processes

While technology will be your first line of defense, you need to rely on your human resources to help against attacks that exploit human nature. Businesses should have a dual-factor approval process in place for financial transactions over a certain threshold (e.g., $5,000).

Whenever a vendor requests a change to banking details, routing numbers, or payment methods, the change cannot be approved by email. That’s asking for trouble. Instead, you’ll want your accounting team to pick up the phone and call a known, trusted number for that vendor (not the number listed in the suspicious email). This should give you a verbal confirmation of the change.

Additionally, you should have systems in place that keep singular employees from executing any major transaction from end to end. For example, employee A might set up a payment transfer in the banking portal, then employee B (or their manager or executive) logs in on a separate device to authorize and release the funds.

Furthermore, modern banking portals allow you to set up instant SMS or push notification alerts for any outward wire. If an executive receives a text about a $45,000 transfer they didn’t personally authorize two minutes prior, they can call the bank’s fraud department immediately to freeze the funds before they leave the institution.

Stop Wire Fraud in Its Tracks

Wire fraud is rarely a technical failure; it is almost always a procedural failure.

Generally speaking, you can count on hackers to take the easy approach whenever possible. It’s much more convenient for a hacker to ask for your money disguised as a trusted vendor instead of breaking through your firewall. With rules in place and a rigid, non-negotiable process for moving money, you can make your business an impossible target.

Find out how to build these processes today by working with Datalyst. Learn more by calling us at (774) 213-9701.