Criminals Posing as CFOs to Commit Wire Fraud

They hack into companies' email, pretend to be senior executives and direct employees to make bogus financial transactions.
David McCannAugust 13, 2014
Criminals Posing as CFOs to Commit Wire Fraud

A new, fast-proliferating type of online fraud is posing yet another security threat to small and large companies alike. Bank of the West, which is taking a leadership role in publicizing the threat, calls it “masquerading.”

Online FraudIt’s a twist on a fraud attempt that became common in 2012, in which criminals hacked into companies’ email or financial systems for purposes of altering communications between corporate executives and financial institutions. Now the bad guys have upped the ante by issuing fraudulent communications within companies.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

In the scheme, a hacker poses as a senior executive, often the CFO, controller or CEO, and issues a communication directing a lower-level employee to urgently execute a financial transaction, like a confidential business investment or a payment to a vendor. Money is then wired or transmitted through the Automated Clearing House to a bogus account.

“We don’t think businesses are as aware of this as they should be,” says David Pollino, senior vice president and fraud prevention officer for Bank of the West, which has more than 700 branches. “It’s important for us to be on the front lines of this, to do everything we can to get the word out to our customers so they can take a look at their business processes.” Any money that does wind up in criminals’ hands enhances their ability to wreak continuing havoc, he notes.

The Internet Crime Complaint Center (IC3) has issued a series of increasingly urgent warnings regarding the fraud. Its most recent scam-alert bulletin, issued on June 27, reported a new wrinkle in which a finance executive receives an email via a company business account that’s purportedly from a vendor requesting a wire transfer to a designated bank account. The emails are spoofed by adding, removing or subtly changing characters in the e-mail address that make it difficult to distinguish the perpetrator’s email address from the legitimate address.

“The scheme is usually not detected until the company’s internal fraud detections alert victims to the request or company executives talk to each other to verify the transfer was made,” the IC3 bulletin says. The average loss per victim is $55,000, but in some cases losses have exceeded $800,000, according to IC3.

In some cases wire transfers can be recalled in time, but in most cases it is “a significant challenge” to get the money back, says Pollino. He adds that he’s not aware of many arrests of these schemes’ perpetrators having been made.

Last year, he says, instances of masquerading were most often targeted strikes at particular companies. Now they more resemble the ubiquitous email missives purportedly from poor individuals in third-world companies, in the sense that large numbers of companies are being attacked simultaneously.

In some cases, masqueraders actually try to commit their fraud not via email messages but over the phone. But wouldn’t people be likely to recognize that the voice on the phone is not that of the CEO or CFO?

“Not everybody has the mechanism or the confidence to challenge that senior executive,” says Pollino, “especially if a caller is pretending to be that person’s administrative assistant patching him in. And you might want to impress your boss’s boss’s boss that you’re doing things in a timely manner and following instructions. Sometimes that means circumventing good business process.”

Bank of the West offers the following tips for spotting and thwarting masqueraders:

1. Confirm that the request to initiate the wire is from an authorized source within the company.

2. Double- and triple-check email addresses. A common masquerading trick is to modify an email address slightly so an employee doesn’t notice that the message is from a fraudulent domain. By replacing the “w” in Bank of the West’s name with a double “v,” for example, a masquerader could send emails from

3. Establish a multi-person approval process for transactions above a certain dollar threshold.

4. Slow down. Speed is the fraudster’s ally and your enemy. Fraudsters gain an advantage by pressuring employees to take action quickly without confirmation of all the facts. Be on high alert for possible fraud anytime wire-transfer instructions include tight deadlines.

5. Be suspicious of confidentiality. Whenever wire-transfer instructions specify to keep the transaction secret, you should verify the legitimacy of the source of the request. Speak to the executive or manager requesting the transaction by phone or in person. If you still have doubts, speak to another senior executive.

6. Many companies require a valid purchase-order number and approval from a manager and the finance department to spend money. Similarly, your business can require that all wire transfers over a certain dollar threshold be matched to a reference number to ensure they are linked to a previously approved purchase or service.

Image: Berishafjolla, Wikimedia Commons, CC BY-SA 3.0