Amy Small, executive director, institutional custody, UMB Bank
We have all experienced attempts to acquire our personal details through fraudulent emails and texts. I personally know of people who have been duped by messages that “PayPal is going to suspend your account if you don’t update your details” or a message supposedly from iTunes to re-enter your password.
When it comes to institutions, however, how does online fraud most manifest itself? Throughout the last 18 months, the online fraudsters have gotten smarter. Even if you have robust controls, you may find a partner or vendor has been compromised. They may, for example, click on an email that says, “Take this compliance questionnaire,” or “Read this article to help you manage your teams remotely throughout the pandemic.” These articles appear helpful and relevant to the teams that are clicking on them, but once their email has been compromised, the perpetrators are able to infiltrate their network.
Fraudsters targeting institutions are also good at framing a request as something that’s part of your regular day-to-day. You may, for example, send the same type of transaction every week, perhaps a transfer of $10 million. Once a criminal has infiltrated your firm’s email, they can make the fake email look very similar to the regular weekly instruction, tweaking one or two elements, such as the receiving account. Fraudsters may have copied all of the authorised signers on the email, but may have changed one character. As a result, it looks legitimate, following the client’s normal pattern of activity.
As a custodian, such attempts at fraud may cross our desk in different ways. A number of small and medium-sized custody clients still transact primarily through email rather than using straight through processing (STP) involving SWIFT and other protected network connections. Sophisticated fraud attempts may communicate some urgency attached to a transaction such as to meet a market deadline. These details could make an instruction seem that much more legitimate to an employee at the asset management firm, or to an external partner.
In a recent example, an authorised person at our client sent an instruction to transfer several million dollars. Following procedures, a phone call was made to validate the transaction and it was again approved by an authorised individual at the client. However, it turned out the email compromise had occurred one step earlier in the trail and even the client didn’t realise it was a fraudulent instruction. While additional verification processes moved forward with the custody team, the client discovered they had in fact been compromised and alerted us to the fraud attempt in time to reverse the transaction.
Although these attempts at fraud cannot be eliminated, they can be combatted. Using the SWIFT network and other forms of straight through processing is in itself much more secure. It’s very difficult to hack a multi-factor authentication process. Most custodian banks offer secure online portals for an additional layer of protection. Criminals may have gotten access to your email address and password, but can be blocked from accessing without your token, security questions or a log-on from your IP address. All of these layers help to prevent fraud attempts.
Generally, within banking, one can establish repetitive instructions or repeat codes. There are controls around setting up those repetitive instructions. If your team was to instruct outside of those repetitive codes, that request should require additional authentication, such as a confirmatory phone call. Then, of course, there is backend software that monitors the transaction even after the custodian’s checks and may itself raise red flags.
The key point to bear in mind is that once a transaction has been executed, it cannot be easily unwound and remediation cannot be guaranteed. Funds from a fraudulent transaction will tend not to sit in the receiving account for long. A criminal’s goal is to move cash into the receiving account, and quickly move it out. Time is not on your side. The FBI may get involved for transactions of a significant size, but as a general rule when it comes to fraudulent transactions, prevention is more effective than remediation. 