Unmasking Impostor Fraud

A longtime vendor sends your company an invoice over email requesting payment to be made to a new account as they recently experienced fraud and had to close their old account. If the employee managing the payment isn’t careful about confirming that the request is legitimate, your company may end up sending funds to a scammer, and become victims of impostor fraud.

While there is a small technical element, this isn’t a threat that can be tackled with increased cybersecurity software. Impostor fraud sees one human ready and willing to engage with another over the phone or email, and is duping thousands of American companies out of millions of dollars.

There are two main types of impostor fraud tactics.

1. Fraudster impersonates a company executive. The scammer typically favors the CEO’s identity because requests from the corporate CEO are less likely to be questioned than requests from lower-level managers, and some CEOs can be hard to get in touch with to verify such a request. The fraudster will do research in advance to identify the company’s typical payees, along with common methods for payment requests and acceptable amounts for each method, so that the email appears legitimate, and then instruct an employee to make one or more payments, usually by wire transfer and often with a sense of urgency.
2. Fraudster impersonates a vendor. The other common form of impostor fraud involves impersonation of a familiar vendor. Similar to the first tactic, the fraudster will conduct his research, and send the business an invoice similar to the legitimate ones, but with subtle changes to the payment instructions. Fraudsters can accomplish this by either hacking into the email account of an employee of the targeted company or into the accounts receivable system of one of their vendors and generate a fraudulent invoice or payment request.

Anyone at a company is a potential target, including managers, technology specialists, and trading partners. According to research by Wells Fargo, and law enforcement reports, bogus emails tend to have one or more of these six common characteristics:

1. requests to send payments to new accounts or new destinations, in and outside the United States;

2. emails coming from a public email address, such as @gmail.com, rather than from the usual company domain (e.g., @company.com);

3. subtle spelling changes in an email address;

4. emails in which the writing tone, style, or word choice seems out of character for the individual who supposedly sent the message;

5. requests for secrecy around a payment; and

6. any request to remit payment to an individual.

Seven Tips to Avoid Being Victimized by Impostor Fraud

The best way to fight fraud is to build strong defenses within your company, and widespread education is the key.

• Alert and educate your executives and staff. Your staff is your first line of defense. Alert your management team and all supply chain personnel to the threat of impostor fraud and the need for vigilance in responding to any payment request. Company executives should communicate with and assure their staff that it’s OK, and even expected, to question any payment requests.
• Alert and educate your vendors and trading partners. Tell vendors you’ll no longer accept changes to bank account information sent by email, and instruct your trading partners not to make changes to their remittance information without verifying the request with you. Warn them that they’re targets too.
• Authenticate all payment requests. Always verify requests:
  • Received by email.
  • Made outside your company’s normal channels.
  • Made to accounts or countries to which you’ve never sent money before.
  • That ask to change a vendor’s payment remittance information.

Fraudsters anticipate you might have questions, and they’re prepared to interact with you. Make sure you verify requests through a different channel than that through which the request was received. If a request comes by email, fax, or mail, verify it with a phone call. If it comes by phone, verify it by email. Always use the contact information you have on file to verify the request. Never use the contact information that comes with the request — it’s fraudulent, too.

• Implement dual custody — and use it properly. Dual custody requires two users to initiate and approve an online payment transaction. It gives you a second chance to spot a payment as fraudulent before it goes out the door. But for dual custody to work as intended, both the wire initiator and approver must:
  • Pay close attention to the payment details — not just give them a rubber stamp.
  • Authenticate a request before initiating the payment and before approving the payment. The best practice for initiators and approvers: Verify before you initiate. Verify before you approve.

• Protect your email account. Never give your company email address or log-on credentials to anyone you don’t know who contacts you by telephone, email, or text message. Instruct employees to follow the same rule.

• Look for red flags. Pay close attention to all payment requests. There might be subtle clues in an email or on an invoice that can help you identify impostor fraud. If something doesn’t seem right, it probably isn’t.

• Monitor account activity. Impostor fraud is one more good reason to reconcile your accounts daily. The sooner you spot a fraudulent transaction, the sooner you can start your recovery efforts and take steps to help ensure you don’t become a victim again

Cary Yates, Wells Fargo market growth & development manager. He is based in Houston.