Article

Stuck in the middle: How banks can manage client takeover attacks

Financial institution customer guidance for business takeover attack

Sep 11, 2019

Many financial institutions find themselves in a difficult position as a growing number of their customers find themselves as targets of business takeover attacks. In these scenarios, hackers gain access to company funds through a variety of manipulation scenarios, often tricking an internal employee to send a wire transfer. The financial institution is often stuck in the middle; while it may not be responsible for any wrongdoing, customers typically turn to it for guidance and help recovering funds. 

This situation is similar to a person who drives a car recklessly but blames the mechanic when something breaks. Some companies have ineffective controls around their bank accounts or make poor decisions when sharing banking information. Regardless of the bank’s lack of involvement in a fraudulent transaction, it will likely receive the first call when money goes missing.

Business takeover cases are simple on the surface, but can have complex details. For example, a portfolio company from a private equity company recently required additional funds and sent an email to the PE firm’s chief financial officer. A hacker took control of the portfolio company’s email, sent a follow-up email with the hacker’s bank account information and received a fraudulent wire transfer.

The CFO quickly recognized that something was wrong and called the bank. In this situation, the company and the hacker used the same bank, so the institution froze the funds. Unfortunately, the hacker was subsequently able to convince the institution to release the funds and wire the funds out of the country.

While financial institutions are not required to work with customers to encourage stronger protections against takeover threats or modify internal processes to identify fraud, making some small adjustments can make a big difference to help deter criminals.

Educate your customers

Many banks do not coach customers on how to discourage takeover threats or help them understand the importance of the tools at their disposal. For example, many institutions have two factor authentication enabled for wire transfers, but many customers choose to disable it, creating unnecessary vulnerabilities. Any time a customer wants to turn off controls, the bank can step in to help them understand how social engineering works and why those controls exist. Coaching has value and can help a client avoid a painful experience.

In addition, banks should provide security information and offer training to their clients on a regular basis to help understand threats and the role the bank plays. The bank needs to have more visibility into emerging risks and what behavior and activity clients need to avoid. Furthermore, financial institutions can use these touchpoints to check on the status of their customers, improve business relationships and  discuss any additional necessary services. 

Adjust internal bank processes

Many banks utilize flexible core banking systems that can identify high-risk transactions. These platforms have extensive functionality built in, but banks often do not use all of it and therefore do not see some questionable transactions in real time. In many cases, controls can be established to flag suspicious activity. 

For example, if a middle market company that traditionally only does domestic wire transfers sends funds to Romania, that transaction should stick out like a sore thumb. Perhaps a company almost exclusively sends wire transfers under $20,000 and then suddenly sends one for $60,000. While large banks may not be able to pick up the phone and validate that transaction, there is an opportunity for community banks to reach out personally and provide more comfort and value than their larger counterparts.

Obviously, detecting a fraudulent wire transfer from within the bank is not always this simple, but the institution is often the last point of resistance in these attacks. Individuals responsible for oversight should review suspicious activity reports and other notifications of wire transfer fraud regularly to identify criminal activity.         

Ultimately, banks may be able to better control fraud in three ways: confirming transfers with clients, being more conservative with internal fraud detection processes and paying attention for any outlier transactions.

Most banks and many customers have taken steps to improve cybersecurity following high-profile attacks and increased regulatory scrutiny. However, any plan to reduce business takeover risks both inside the bank and when guiding customer activities must be flexible to adapt to new threats. Criminals are looking for the easiest way to collect money and their methods will constantly evolve to circumvent today’s detective controls and protective measures.

Educating clients about how to avoid and address risks and adjusting processes within your bank can improve the environment for both your bank and your clients. A stronger risk environment can increase customer satisfaction, reduce strain on busy internal employees tasked to track down lost funds and help you avoid having to guide your customers through the misfortune of criminal hacking.    

RSM contributors