Fraudsters Today Part Two: Five More Fraud Types to Watch Out For

Today's fraudsters are exceptionally thorough and can use the information they gain to trick companies of all types and sizes. The second part of this series focuses on five additional not-so-common but equally harmful fraud types that are also affecting our clients today.

1. CEO Fraud

It was near the end of the day when the CEO’s assistant received an urgent request from the CEO to process a wire transfer to close a deal he had been working on for months. The email appeared to be legitimate and written in the same manner as other communications between the two. Considering it was the end of the day and the request was urgent, the assistant worked diligently to process the wire transfer.

The next day the assistant congratulated the CEO on closing the deal and confirmed she had processed the payment. At that moment, the CEO realized his email account was compromised.

The fraudster was closely studying the CEO’s email communications and was aware of a deal the CEO was working on for some time, which allowed the fraudster to imitate the CEO’s communication style.

Prevention Tips

• Develop a manageable approval process: Create one that ensures all approvals are met before wire transfers are initiated.

• Require verbal approvals: For large wire transfers, request verbal approval or confirmation.

• Establish documentation requirements: Require proper documentation and approvals for all wire transfers.

• Verify purchase orders: Ensure all wire transfers are associated with an actual purchase order in your accounting system.

Prevention Tools

• Antimalware and anti-spam programs: These programs can help stop certain emails at the email gateway.

• Email security technology: Scan and filter emails in realtime to block users from opening suspicious attachments or clicking on links that may be malicious.

• Antiimpersonation software: Identify potential CEO fraud attacks by scanning the header and content of email for the signs of malwareless, social engineering techniques often used in these attacks.

2. Corporate Card Fraud

While browsing a travel site to find a good deal on a flight for a business trip, an employee clicked on an advertisement and landed on a website that offered deals too good to be true. Convinced he was saving the company money, the employee purchased a ticket using his corporate credit card and other personal information. Within days, the credit card company flagged abnormal activity on his account. His corporate card had been compromised on the fraudulent travel site.

Prevention Tips

• Don’t share: Never share card information unless you’ve verified the request is legitimate.

• Use chipand-PIN cards when possible: The encrypted microchip is difficult to counterfeit and there are no signatures that can be forged.

• Monitor your credit card activity: Run reports that show detailed transaction information to monitor card spend.

Prevention Tools

• Use transaction monitoring software: This will help alert you about activity outside your regular norm.

3. Deepfake Audio Fraud

An employee received a phone call from her CEO, or so she thought. It appeared to be from his mobile number and it sounded just like him. The person asked her to urgently wire transfer funds for a business transaction he was working on. She followed the detailed instructions and prepared the transfer.

After the fraudster called again, from a number outside the country this time, the employee called the CEO directly and learned he was not the one who called requesting the wire transfer.

Prevention Tips

• Verify the request: Immediately call the executive back at their official number, or use faceto-face conferencing options where available.

• Ask a “testing” question: Challenge the caller with a question only the real executive would know the answer to.

• Use a “code” question and answer: Establish a secret code word or answer as part of your standard procedure for handling oneoff payment requests.

Prevention Tools

• Multifactor authentication: Most attacks are combined with other social engineering techniques that can be prevented—or, at least, mitigated—with solid identity and access management (IAM) solutions.

• Artificial intelligence: Purchase AI systems that can automate deepfake detection to help tackle risks such as identity fraud.

4. Internal Fraud

An accounting manager had racked up significant debt. He then realized his team shared login details to process payments when colleagues are out of the office. He logged in as his colleague and requested issuing a check to a fake supplier, then logged in as himself and approved it. When the fraud wasn’t discovered and he realized how easy it was to do he did it again and again.

Prevention Tips

• Educate employees on risk and security awareness: This includes safeguarding passwords and other confidential info, never leaving a computer with information on the screen, how to report suspected fraud, etc.

• Complete background checks: Use rigorous preemployment screening.

• Separate the duties of payment creation and approval: One person enters the payment details and another, or two, OKs the payment’s release.

Prevention Tools

• Ombudsmen: Allow employees to anonymously report any suspicious or unethical activity.

• Security Protocols: Create robust security protocols like security clearance for employees, protection of assets, internal and external audits, and computerized control systems.

• Hack your system: By doing a lunchand-learn with your employees and have them discover the holes in your processes. 

5. Port-Out Fraud

A woman received a text message on her company phone purporting to be the mobile service provider, informing her that it had received a request to send her number to another carrier and asking her to contact them via a link. Without hesitation, she clicked on the link and was redirected to a website she did not recognize. She closed the site and deleted the text message without taking further action, but the damage was already done. The fraudster now possessed her work phone number and would proceed to steal and change all her passwords.

A few hours later, she noticed her phone had lost service. After calling the mobile service provider, she was told her account had been canceled and that if she wasn't the one who did it, then she had become a victim of port-out fraud (that is, unauthorized switching of mobile carriers).

Prevention Tips

• Security PIN: Add a security PIN to your account.

• Use twofactor authentication: If your cell phone carrier allows, sign up for dualfactor authentication (not always the same as an account PIN or passcode) upon logging into your account.

• Use obscure answers: If your carrier uses security questions for logging in, such as “What street did you grow up on,” try to use obscure answers fraudsters won’t be able to find out in a simple address directory search.

Prevention Tools

• Ask your wireless provider about portout authorization: Every major wireless has some sort of additional security for accounts or for portout authorization that customers can set up, such as a unique PIN or a verification question.

• Don't link your mobile number to online accounts: Once hackers steal your phone number, they can leverage it to reset the password on any online account that’s linked to the number. In many cases, this bypasses twofactor authentication.

Eight Common Fraud Tips

1.    Educate yourself about common scams
2.    Monitor against insider threats
3.    Ensure employees are aware of security best practices
4.    Back up data off-site
5.    Restrict administrative rights
6.    Secure against business email compromise
7.    Install and update antivirus software
8.    Talk to your bank about the fraud mitigation services they offer