Compliance Blog

Sep 12, 2016
Categories: BSA

Whale and Spear Phishing Examples and Red Flags; Credit Unions and the Higher Road

Written by Shari R. Pogach, Regulatory Paralegal

I know you've all heard about the digital con games that target businesses and individuals and their email accounts.  The endgame goal is to get funds wire transferred into the criminal hacker's account, usually to a bank located in Asia.  The Financial Crimes Enforcement Network (FinCEN) recently issued an advisory, FIN-2016-A003, to help financial institutions to guard against email phishing fraud that has involved $3.1 billion since 2013.  And, that's just the 22,000 reported cases.

The two main types of email phishing fraud are:

  • When a company's business email is compromised; and
  • When a victim's personal email account is compromised.

What happens is the bad guys hack into a person's email (either business or personal) and get as much information as they can about his or her financial institutions, account details, contacts and other related information.  Those stolen details are then used to email instructions that appear to be from the accountholder to get the financial institution to initiate an unauthorized wire transfer of funds into the criminals' domestic or foreign bank accounts.

The advisory gives examples of the types of scenarios used and a red flag list to help identify possible email phishing fraud.  Here are a few email phishing fraud red flag triggers:

  • Seemingly legitimate emailed transaction instructions using different language, timing and amounts than previously verified instructions.
  • Instructions coming from an email account that looks very similar to the victim's email account but has been slightly altered by adding, changing or deleting characters.
  • Instructions that direct the payments to a known beneficiary but the beneficiary's account information is now different.
  • The instructions direct payment to a beneficiary where there is no prior payment history or documented relationship to the customer and the payment is significantly higher than payments to other beneficiaries the customer has paid in the past.
  • Instructions are delivered in such a way that gives limited time or opportunity to confirm the transaction's authenticity.
  • The instructions come from an employee who is a newly authorized person on the customer's account or someone who hasn't previously sent wire transfer instructions.

FinCEN stresses no single transactional red flag indicates suspicious activity, additional questions and further investigation may be necessary to determine if a transaction is indeed suspicious.  It is also recommended the advisory should be widely shared within the institution with its:  cybersecurity and risk departments; fraud prevention units; BSA/AML management; AML intelligence units; and AML analysts/investigators.

***

Speaking of fraud, Wells Fargo was all over the headlines last week with its historic fine for unlawful sales practices.  Just more bad bank behavior. I think our CEO said it best in his Berger Leadership Blog that this is what differentiates us and makes the credit union industry so stellar putting members first instead of profits.  Take a moment to read his post and give yourself a pat on the back today as you start the week.