In today’s digital world, convenience is a priority for consumers and businesses alike. Although technology and digitization have made it easier and more efficient for businesses to communicate and conduct transactions with their consumers, it has attracted the attention of cybercriminals, fraudsters, and hackers across all industries.
Since the invention of the internet, businesses and consumers have realized new ways of communicating. Today, email is the preferred and primary method of communication for nearly everyone. Although email is quick and efficient and provides the parties involved with a record to refer back to, it comes with disadvantages and risks. Unlike face-to-face communication, the receiver cannot know for sure if the person on the other side of the screen is in fact who they say they are – which creates risks of cyberattacks like impersonator fraud and business email compromise.
The impact of cyberattacks on financial firms
Cyberattacks have been an issue across all industries. Still, the impact of business email compromise and impersonation has expanded since the pandemic and hits the financial services industry 300 times harder than any other sector. Cybercriminals are most inclined to target businesses that transfer large sums of capital, placing more risk on venture capital, private equity, and real estate firms.
Combatting cybercrime has existed since the late 1980s, with the birth of the first commercial antivirus. But fraudsters have adapted to new technologies and have become more sophisticated in perpetuating cyberattacks. Although recent cybersecurity innovations introduced stronger passwords and 2-factor authentication (2FA) systems, cybercriminals continue to find ways to intercept high-value transactions.
According to the FBI, businesses and individuals who performed transfer-of-funds requests reported $26 billion in global losses from impersonation fraud and business email compromise in 2019. The number of incidents continues to rise as cybercriminals continuously look for new ways to perpetrate fraud and take advantage of the work-from-home and hybrid work policies that weaken a company’s cybersecurity strategy.
Email is the easiest, most convenient, and efficient way for financial services firms to communicate with their clients and vice versa. However, this digital communication is also the least secure as cybercriminals can easily intercept a high-value transaction within a few minutes. A financial transaction may only take minutes, but if wired into the wrong hands, the long-term impact can result in thousands of dollars lost and costly litigation. Furthermore, liability is often unclear in the event of a cyberattack, making the process of getting money back even more complicated.
To fully understand the impact of cyberattacks, financial services firms need to understand the different types of BEC, and impersonation tactics cybercriminals use.
Types of BEC and impersonation tactics
Business email compromise and impersonation are the most common and successful types of cyberattacks used by fraudsters today. BEC and impersonation often go hand-in-hand due to their strategic and targeted nature. Fraudsters study and analyze a financial firm’s executives, employees, and past activities to gain insights for a successful attack. Rather than randomly selecting employees or creating random emails, fraudsters try to understand the financial firm’s organizational structure and activities to perpetuate wire fraud. The two most common and successful tactics include:
Email Impersonation – Email impersonation, also called email spoofing, is a phishing tactic fraudsters use to create an email with a forged sender address. Cybercriminals create email addresses that appear legitimate to trick the person or entity into thinking the message came from a trusted source. This tactic is often successful as 97 percent of users cannot recognize a phishing email.
Targeted Phishing – Targeted phishing, also known as spear phishing, is another form of impersonation attack. Fraudsters target a specific individual or entity and send a deceptive email to trick the person or business into thinking it is from a trusted source. For example, the cybercriminal can impersonate the CEO of a company, a supervisor, lawyer, or vendor and target lower-level employees who may be less experienced. According to the SANS Institute, 95 percent of all attacks on enterprise networks are from successful spear phishing.
Wire fraud liability
Impersonation continues to leave devastating impacts on financial services. In the U.S. alone, cybercriminals have intercepted financial transactions and stolen billions of dollars from M&A, real estate, and law firms, and customers of financial institutions. For example, the real estate industry reported more than $22.1 million in losses from 12,000 victims of wire fraud in 2019.
Successful wire fraud leaves long-lasting and detrimental impacts on financial institutions and their clients alike. While many companies often resort to blaming their financial institution for allowing the fraud to happen, the financial firms are also at a loss when funds end up in the wrong person’s hands.
Unfortunately, liability is unclear once a wire fraud transaction occurs since no one is truly at fault – except the hacker. Laws like section 4A of the Uniform Commercial Code exist so that financial institutions aren’t held entirely liable against phishing attacks and fraudulent transfers.
Although most large businesses invest in cyber liability, there is little understanding of what is covered under their cyber insurance policy until a cyberattack occurs. While coverage often applies to losses from email compromise or social engineering initiatives, it is usually limited to policyholders and staff. It is usually not covered if the policy holder’s team acts on fraud perpetuated towards customers, investors, counterparties, advisors, and other outside email accounts. Businesses must be vigilant about reading the fine print within their cyber insurance policies to understand what isn’t covered fully.
Because liability is unclear, everyone involved in a transaction, including the client, employee, and company, must take measures to prevent wire fraud. Although companies spend significant amounts of time and resources on employee cybersecurity training, venture capital, private equity, and real estate firms can do more to identify a potential cyber-attack and act quickly in the event one occurs.
MFA and biometrics
Fortunately, advancements in technology have made it easier to prevent and even eliminate wire fraud. With multi-factor authentication (MFA), companies can verify a user’s identity after submitting multiple pieces of evidence. For example, in addition to entering their password and verifying their user credentials, users may be asked to enter the code sent to their mobile device. MFA adds another layer of protection for companies than the standard 2FA or password procedures.
Biometrics is another form of MFA. An individual’s identity is verified after the user provides unique, biological characteristics. These can be in the form of fingerprints, facial recognition, or voice. Biometrics offers the strongest form of protection against impersonation tactics and wire fraud since these characteristics cannot be stolen, replicated, or faked. Businesses can conduct transactions without having to worry about impersonation attacks and business email compromise.
Venture capital, private equity, and real estate firms can now integrate MFA and biometrics tools within their workflows to eliminate wire fraud. These tools provide an easy way for companies to access cybersecurity benefits without having to train their staff. Together, MFA and biometrics verification can eliminate the threat of wire fraud for financial services firms by requiring users to verify their identities with unique characteristics.
Given the growth of wire fraud and grey area when it comes to liability, creating a system that guarantees protection has become incredibly important. Instituting best practices like Call Back Verification is a very important first step, but the level of risk too great to be left to human error. The best way to prevent uncertainty about who is at fault is to prevent the risk from happening all together.