Funds transfer fraud is a common cyber attack in which hackers redirect funds from a victim's account before or during a money transfer so that the fraudsters receive the payment instead of the intended recipient. The computer fraud scheme often involves an attacker impersonating an executive, vendor, or bank — and sending fake invoices or payment instructions.
If the sender doesn't verify the information or realize the scam, the criminals usually close their bank accounts within days, making the money difficult to recover. Fraudulent transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts impossible. Adding to these costs, the actual vendors who failed to receive payments or were instructed to send fraudulent funds on behalf of the organization will demand to be paid or reimbursed immediately.
Funds transfer fraud (FTF) is a common and relatively simple online crime that's becoming increasingly costly and even more sophisticated. Incidents and initial losses have skyrocketed by 78% since 2020 — averaging $388,000 — and the window to recover stolen funds typically lasts only 24 to 72 hours. Small businesses are being especially hard hit. Coalition claims data reports that organizations with less than $25 million in revenue experienced a 102% surge in initial FTF losses in the second half of 2021 with the number of incidents rising 54% since just the first half of 2021.
A relatively easy attack, funds transfer fraud, electronic funds transfer fraud (eft) or wire transfer fraud is often perpetuated through social engineering techniques like email spoofing, phishing or business email compromise (BEC). The FBI reported BEC as the highest-ranking cybercrime of 2021 in terms of losses ($2,395,953,296). In recent years,41% of BEC attacks experienced by Coalition policyholders evolved into an FTF incident resulting in the direct loss of funds.
Once attackers gain access to an organization's email system, they can lie there and wait and watch — usually for a pending transaction such as a legitimate email with a request for funds. In other cases, by installing malware or from information gained on the dark web, they can get ahold of a list of the organization's suppliers or other business partners. Once this information is known, a scammer can masquerade as an individual or entity known to the company and try a number of common tactics including:
• Fake invoicing involves sending routine payment requests while pretending to be an actual vendor. Scammers may even use a pirated logo and a realistic template — but change the bank account information to temporary account numbers that the fraudsters have set up themselves. Sometimes attackers will simply spoof email addresses from likely vendors and send a cold email to see if the victim will wire money or comply with a request.
• Account compromise is a BEC attack that uses a legitimate employee's stolen or guessed email credentials (or a near-name or spoofed email address) to request invoice, eft, or credit card payments from customers — but sent to the fraudster's own bank account.
• CEO impersonation is another type of fraud tactic, whereby the scammer spoofs or uses a near-name email supposedly from an executive of the organization to instruct the recipient to take an action like changing payment details or sending a wire transfer or a high-value gift card to an individual (the scammer). Newer schemes have evolved that exploit virtual meetings — in which the fraudster uses a fake still photo of the CEO or CFO and even "deep fake" audio to directly request an employee to initiate a wire transfer to the fraudster’s account.
• SMS digital payment alerts are a recent trend noticed by the FBI with the increasing popularity of virtual payment platforms. Small businesses who use such digital payment applications may be targeted by cybercriminals who gather phone numbers from data breaches and then send SMS (text) messages to trick employees into transferring funds under the guise of "reversing" unauthorized instant payments.
• Attorney impersonation targets an organization's junior employees, sending a fraudulent email or phone call in hopes they will comply with an urgent and confidential demand for a wire transfer from a lawyer and don't know how to validate the request.
• Data theft attacks may not request online banking debits or money transfers but instead target HR or Finance personnel and their computer systems in an attempt to steal sensitive information about an organization’s employees, partners, or customers — and later sell this information to other cyber criminals.
With more than one-third of corporate employees in America continuing work remotely in the wake of the ongoing COVID-19 pandemic, many scammers are taking advantage of the confusion and disruption in ordinary business operations, an increased reliance on third-party vendors, and many companies' hasty digital transformations.
Cyber insurance is a key factor in addressing and mitigating these new and ever-increasing cyber risks, and can really save your business time and money if it’s ever the target of a cyber attack. A key element of most cyber policies, Funds Transfer Fraud coverage will help organizations recover when fraudulent transactions are sent to a third party due to a network security failure.
Insurance coverage can vary depending on different underwriting factors. A critical aspect of addressing cyber risks, including the risks associated with email and what to do in an FTF case, is understanding the coverages under your cyber insurance policy.
Coalition’s most popular and comprehensive coverage bundles include Funds Transfer Fraud coverage that can help replace lost funds — while our Breach Response coverage pays for the costs to respond to a cybersecurity incident, including incident response, customer notification, legal feeds, and advice in connection with the incident.
Coalition’s FTF policy reimburses insureds for funds transfer losses incurred arising from a failure in security functionality or social engineering. However, that isn’t all our cyber insurance policy offers to remediate this type of attack. As part of Coalition's Active Response methodology, we will also pay the cost of legal representation and judgments. We even cover settlements when a third-party entity claims to have been induced to fraudulently transfer funds owed to a third-party due to a security failure on your network. (Sub-limit may apply. Please read the policy for all coverages, terms, exclusions, and conditions.)
Coalition will even jump in immediately to help recover the organization's lost funds — so victims don't have to face this stressful process during the brief (24 to 72 hour) window before criminals close their accounts or convert the funds to cryptocurrency. After receiving notification that a policyholder has experienced an FTF event, our claims team will file an IC3 report with the FBI (in the United States) and put an interbank agreement with the appropriate financial institutions to attempt to freeze and claw back the funds. In 2021, Coalition recovered 96% of the lost funds in cases where our claims and incident response teams managed to claw back funds.
Effective recovery efforts are based on several factors, including the location of the receiving bank and the length of time since the transfer. While we cannot guarantee the successful recovery of funds paid to an attacker, we have a record of success on this front. For example, our swift response resulted in recovering all but $500 of the $1.3M paid to an attacker by one Coalition policyholder even though the policy had a limit of $500K for FTF losses.
Coalition is the only cyber insurance provider with a dedicated in-house Claims and Incident Response (CIR) team. While recovering funds usually signals the end of the incident, Coalition's Active Insurance philosophy drives our team to investigate further. We believe it’s critical to address the underlying cause of the fraudulent transfer. In addition to restoring infected mailboxes, our team conducts forensic analyses and investigates vulnerabilities and the initial vector for the attack — to help determine if there are other existing compromises (such as malware) that may lead to a future FTF or ransomware incident.
Email is often the initial point of compromise for FTF attacks, and that can involve attackers lying in wait within company mailboxes, sometimes for months at a time. For example, when one Coalition policyholder in education fell victim to an FTF event,Coalition Incident Response team discovered 82 malicious logins to the Finance Director’s email account spread across four months. Fortunately, CIR was able to remove the attacker’s access and clean up the infected mailbox.
Coalition also helps policyholders prevent funds transfer fraud before it happens. Coalition offers a wealth of resources to help businesses implement good cybersecurity practices.For example, our annual Cybersecurity Guide outlines the basic tenets of a cybersecurity program — a critical factor in reducing an organization’s cyber risk.
FTF attacks are on the rise, but quick action can help mitigate the extent of losses. If an organization believes a recent transaction, email, or other communication looks suspicious, here are some helpful steps to take. Remember: it's only during the first 24 to 72 hours that a reaction to an FTF event has any hope of success.
Coalition policyholders who notice a wrong payment should immediately reach out to Coalition so our incident response team — available 24/7 — can launch into action right away. With the guidance of the Coalition Claims team, here are some helpful steps to take (policyholder or not):
• Immediately update credentials (including changing all usernames and passwords) for any email or bank account that may have been compromised.
• Immediately notify your bank of the fraudulent transfer of funds, and request a clawback of the funds.
• Contact anyone who may have been exposed to the fraud (such as customers, vendors, or other third parties). Instruct them to not comply with any unverified requests for financial information and advise them to change their email and bank account usernames and passwords too.
• If confirmed, report fraudulent activity to the FBI'sInternet Crime Complaint Center.
• File a report with your local law enforcement agency.
• Repeatedly inquire with your bank and the receiving bank on the status of the recovery.
FTF is a high-tech problem with a low-tech (and free) solution: vigilance. Especially when financial transactions or personal information is being requested over digital communications, employees should always verify by asking questions and confirming the validity before taking action.
Email addresses and phone numbers (and even invoices) are not enough to confirm a requestor's true identity. Employees should first scrutinize sender names and email addresses, and understand that even then, such contact information can be spoofed.
Coalition recommends implementing a “dual control” process that includes one or many of the following:
Calling the recipient of the wire transfer to verify the transaction details. (Note: Use a known-good phone number, not one in the email).
Verifying the transaction with another executive at the company either verbally or in writing (preferred).
Setting up internal controls within your financial institution. One administrator or user enters or creates a payment (ACH batch, wire transfer), and a second administrator or user is then required to review the payment and approve/release the transaction.
One potential indicator of Funds Transfer Fraud is an email that makes any reference to a Society for Worldwide Interbank Financial Telecommunication (SWIFT) wire transfer. For most organizations that only do business domestically, SWIFT payment network transfer requests should raise an eyebrow because they indicate an overseas destination for the funds.
Coalition also recommends all organizations turn on multi-factor authentication (MFA) — also known as two-factor authentication (2FA) — for corporate email accounts as many FTF events start with an attacker accessing your email service.
Funds Transfer Fraud is on the rise and has its sights on small businesses. The good news is that organizations can take easy steps to protect themselves — and a step that provides the most protection and peace of mind is an Active Insurance policy from Coalition that not only covers potential losses in the event of cyber fraud, but actively helps to prevent and respond to the threat.