EXECUTIVE SUMMARY

New Business Email Compromise (BEC) attacks targeting wire transfers cost organizations billions annually. Threat actors have developed new techniques to bypass even sophisticated email protection filters in organizations like yours and can use new AI deepfakes as a new way to bypass voiceprint protection at the banks.

This article reveals these new threats. So that you can have more wire transfer security in one document, this article covers several key components to have in your organization’s wire transfer process to help protect against new and old threats. It also includes some new protective changes your IT Team can implement in your computer systems and processes, including ways to protect against both existing and new threats.

The losses can be devastating – one organization lost hundreds of thousands and a top executive. Review your wire transfer policy today, and conduct a tabletop exercise this quarter. Your organization’s financial survival may depend on it.

It is Time to Update Your Wire Transfer Process Policy and Procedure Documentation

Fraudulent wire transfers, part of an attack referred to as Business Email Compromise (BEC), are very frequent and expensive for organizations that fall prey to these attacks. The FBI IC3 reports that BEC costs organizations billions of dollars each year. I want to help you avoid being a victim.

Something new that’s related to wire transfer fraud: The threat actors have a new technique that successfully bypasses spam filters. We’re receiving concerned email questions, as we should be, like this one from a very savvy IT Pro who wrote in frustration: “The email bypasses one of our main filters for external mail.” The “main filter” he is referring to is a very expensive email protection service that is very effective at preventing external phishing. At least it was, until now. Attackers found a way through not just his, but any systems not protected by the new technical fix we gave him right away, which is included below. Your protection may be vulnerable too. The need for you to know what to fix is the primary reason I penned this article.

In another new development, Sam Altman, CEO of OpenAI, which makes ChatGPT, is warning the Federal Reserve: Fraudsters can use improved AI-generated voice to completely defeat voice-print authentication. He says that threat actors will be able to call a bank, pass the voice recognition test for access to their victim’s accounts, and move money wherever they want.

One of our customers got compromised. When one of their vendors called asking about hundreds of thousands in unpaid bills, the company realized they’d been paying a fraudster for a year.

Our customer had a strict protocol: The vendor must fill and sign a specific form, then, following separation of duties, one person approves the change and another updates the routing and account numbers. Unfortunately, fraudsters breached the victim company’s email and easily identified the process by tracking a legitimate request.

The hackers breached the email system of one of the victim’s largest suppliers. They immediately sent an email from that company to the person who approves transfers and another directly to the person who changes the routing and account number using a forged approval signature.

It was almost impossible to catch that, and they only found out after a year when the large vendor contacted them, saying they’d had a glitch that resulted in no statements being sent, and asked about the hundreds of thousands of dollars the victim company owed the vendor. And, of course, the victim company had been paying all along, but the money was going to a happy fraudster who enjoyed a significant income for their efforts. The loss was devastating. A top executive, one of the smartest and kindest people I’ve ever known, left the company soon after.

Threat actors successfully bypass spam protection by tricking anti-phishing systems into believing their message, sent from an external server, came from inside your network. The duped spam filter doesn’t check the message and allows it through because, by default, all internal email messages are allowed. This trickery removes the need for the threat actors to breach the victim company’s email system.

You’ve seen the online videos of deepfakes and how difficult it is to tell some of them apart from a real human. Although it isn’t common yet, threat actors could theoretically use AI to use deepfake voices that sound very convincing during an approval process. OpenAI is specifically warning banks about this risk right now. Threat actors are using deepfake video in job interviews now, so it is reasonable to expect that they will use audio impersonation to fake a vendor representative’s voice to successfully and fraudulently complete the approval process.

Have a Wire Transfer Process Policy that your team adheres to. Be sure there is extensive training and regular samples. If your team knows there could be a test message at any time, they’re more likely to stay vigilant.

I know you can use AI to write one, but here is a sample wire transfer policy we’ve spent a lot of time compiling that you can adjust to fit your organization:

1. Receive and log the request into whatever logging system you’re using now. Even a spreadsheet would work. Record:
   1. Entity requesting the transfer
   2. How they contacted you: email, phone, etc.
2. Look for Obvious Problems:
   1. Carefully check the email address to confirm the text after the @ sign matches the company’s domain. If they don’t, check your email history to see what domain name they typically use. And of course, you already know the source and reply-to email addresses can be spoofed anyway. If anything is off in the addresses, consider the message fraudulent.
   2. Does the request indicate some urgency? If so, be very suspicious that it is fraudulent.
   3. Does it ask you to keep something secret, such as a surprise or gift? If so, be very suspicious of this, too.
   4. Do you already have different payment details on file for that company? If so, be extra careful.
   5. If something feels “off” about the request, trust your gut feeling and escalate it for secondary review. Sometimes our brains can detect subtle clues that aren’t obvious, and fraud is so expensive that you must honor all indications, even when it is just an odd feeling about the message. It is better to err on the side of safety than lose a fortune to fraud.
   6. If someone phones you, keep in mind that AI is excellent at helping threat actors create deep-fake audio impersonations. If you’re unsure, start a casual conversation and ask specific questions about their city. If they can’t answer even simple ones, or they make an excuse like having just moved there, that is a big red flag. If a threat actor is using a voice chatbot responding to you directly, it will know the answers to your questions right away, but at least it gives you more time to see if the voice sounds AI-ish.
   7. Just because you confirm that an email is from a company, that doesn’t mean it is valid. Threat actors earn lots of money if they succeed, so they are motivated to invest a lot of time and use sophisticated techniques to hack into the email of one of the companies you already transfer money to. Then they can send and receive email via the company’s actual mail servers. The company whose email they hacked has no idea.
   8. Tell other members of your team about messages that concern you so they can spot them quickly.
3. Mandatory Callback Verification if the message passed the initial review
   1. Verifications must be conducted out-of-band, meaning in a different way than the request arrived. For example, if the request arrived by email, verify it in a different way
   2. If your organization utilizes secure communication methods, such as encrypted email or a secure portal, contact the person that way to confirm the transfer or account number update.
   3. If you need to use email, forward, not reply, the request to the supposed person at the company domain (not another domain; watch for minor typos in the domain name) and ask if they sent that message.
   4. Call the person requesting the transfer or account number update. Avoid calling the phone number provided in the email message. Find the phone number you typically use or look up the phone number at the company’s website or another independent way.
   5. Ask the person to call you back so you can verify that the phone number matches the one on the company’s website. If the number doesn’t match exactly, the area code, prefix, and first one or two numbers should.
   6. If this is a new setup, or a change in account number, contact a second person at the organization to independently confirm the worker’s identity whom you contacted.
   7. Document all of this in your log.
4. Dual Approval for transferring money
   1. See if your bank will allow you to set up dual approval so that two people must confirm each wire transfer. If your business processes dozens of wire transfers every day, consider setting a threshold where you only need two people if the transfer is over a specific amount.
   2. Even if your bank doesn’t have the two-person verification option, you can still use that process internally on your own by having the person who is about to make the transfer get the sign-off of another worker who can verify it.
5. After you make the transfer or update the routing and account numbers, send a confirmation to the user at the company using the email address you independently verified. Do not assume the email address or the “reply to” address is accurate. Update the log entry that corresponds with the transaction you started when the request arrived, so you’ll be able to review the details if you need to.
6. Immediately activate the response plan described below if you suspect fraud has happened. Speed is of the essence because the sooner your bank and the authorities know about the fraud, the more likely it is that they can recover some or all of the money. There are no guarantees, but act quickly anyway.

Here is a list of other essential steps we created for you. Some are more technical, but you can always lean on your IT team to help:

1. By default, most spam filters allow all internal messages between your workers to pass through without inspection. As mentioned above, attackers can successfully trick your email systems into believing the sender is inside the company. They can trick your anti-fraud tools to pass their wire transfer requests without scrutiny. Ask your IT Department to change the settings to remove this bypass and require all messages, internal and external, to be tested thoroughly.
2. Thoroughly educate your team about preventing BEC and wire fraud.
3. Check your regulatory and legal requirements for your industry and your situation. There is a chance that there are specific wire transfer regulations that will apply to your organization.
4. Ask your bank and your application providers what forms of fraud protection services they offer. AI is empowering banks and other financial institutions to watch for suspicious behaviors. The tools can watch trends with all of the transactions they process and also watch for irregularities from your organization’s typical usage. AI is getting better and better at catching fraud quickly. Make sure yours is set at the highest level.
5. You can utilize the security principle of “separation of duties” by ensuring that the person approving the transfer is different from the one making the transfer. This is the “separation of duties” principle that can help catch fraud since more than one person has a chance to recognize an issue.
6. An attacker might use deepfakes to dupe you into thinking everything is legitimate. After all, if they stand to make a mint, they will go to great lengths, the stuff Hollywood is made of. Someday, it might get to the point that some transactions must happen in person. If going in person is not practical, an alternative that would be very difficult, as of today, for an attacker to simulate would be a video call with multiple people whom you recognize from the other organization in the same online meeting at the same time, especially if the vendor’s representatives are in a setting you recognize. The threat actor would have to accurately depict the background, animate all the people at the company and give them the right voices and the right things to say in a very human way. The technology just isn’t that good yet.
7. Ensure your IT Department has configured alerts that will trigger the moment a new email rule is created. It is very common for threat actors to breach a company, configure email forwarding rules, and then get out before they’re noticed, all to prepare for lucrative fraudulent email requests. In post-incident forensics processes, we frequently discover that the threat actor was only in the network for a few minutes and was gone before even the best EDR, XDR, and other automated detection tools could notice. To the system, it appeared to be a typical user logging in and logging out, nothing out of the ordinary.
8. Be sure you set up MFA at your bank. Ask if they support you logging in with a physical token, an authenticator app on your phone or using a passkey, all of which are more secure than a text message. Even then, know that hackers can bypass MFA, so it cannot positively prevent a threat actor from accessing your account. But use MFA anyway.
9. Here’s the technical stuff to send to IT, but executives, please read the next section after this section.
   1. Ask them to enable Spoof Intelligence in Microsoft 365 Defender
   2. Ensure Anti-Spam Policy > Spoof settings blocks failed SPF and DMARC internal spoof attempts
   3. Enable domain and user impersonation protection in an Anti-Phish Policy for your Accepted Domains
   4. Disable or at least restrict any inbound connectors that accept mail from untrusted IPs
   5. Add an Exchange Mail Flow transport rule so that if a message is authenticated as Anonymous but claims to be from inside your domain, check the message: If AuthAs=Anonymous AND InternalOrgSender=True, treat it as external and run spam and phishing filters again.
   6. Be sure your IT Department has configured technology they will recognize called SPF, DKIM, and DMARC to help protect you from fraudulent email messages. But they need to implement it in phases to ensure you don’t lose essential messages and that your company’s outbound email messages don’t get blocked due to the settings. They can start SPF with ~all (soft fail) while monitoring, then move to -all (hard fail) for SPF after they’ve identified all the approved sources of email, and separately configure DMARC to progress from p=none > p=quarantine > p=reject over time. Important: Don’t move DMARC to p=reject until both SPF and DKIM are properly configured and aligned, as this could block legitimate emails.
10. You already have incident response plans for what happens if there is a security breach, and be sure to have one for fraudulent wire transfers, too.
    1. Include immediate notification of your bank, cyber-insurance carrier, the FBI, your data breach lawyer, and the executives of your organization. Include all contact information right in the plan so there are no delays. Sometimes, when money gets transferred to a fraudulent account, the threat actors cannot access the full amount right away; they must remove the money in smaller increments. Sometimes you can recover some of the money if you act quickly. Other times, the funds are moved immediately to overseas mule accounts.
    2. Include an instruction to ask your IT department to immediately run an Exchange message trace on the specific messages related to the fraud; they’ll understand the request.
    3. Ask IT to also check the admin audit logs for recent rule/connector modifications.
11. To combat the voice-print dangers, you need to consider both someone impersonating your company to the bank, and someone pretending to be the bank calling you. For the former, ask your bank to require multiple forms of authentication, not just voice-print. They will probably suggest pre-arranged code words or security questions that only you and your bank know. Here’s something many people learn the hard way: Do not answer with a fact. In other words, you might say your high school was Sea of Tranquility High on the Moon. Good luck to any attacker trying to find that on your LinkedIn profile, even if they are using AI to assist them! And if someone calls you claiming to be from your bank, hang up and call the bank back on a number you can verify as being legitimate.
12. And last, it is an excellent idea to ensure everyone who pays you by wire transfer does everything in this document and more. After all, if they pay all the money they owe you to a fraudster, they might not have enough money left to pay you, too. We’ve seen that happen to some of our best clients; their customers suffered a BEC and transferred money to threat actors, and then couldn’t afford to pay our customers. This is an example of how another company’s breach can hurt your organization, too.

This simple process could save you many hundreds of thousands of dollars, as fraudulent emails requesting wire transfers are becoming too frequent. Review your policy today and have a table-top exercise this quarter.

About the Author

Mike Foster, CISSP®, CISA®
Cybersecurity Consultant and Keynote Speaker
📞 805-637-7039
📧 mike@fosterinstitute.com
🌐 www.fosterinstitute.com

Mike Foster is a leading cybersecurity consultant with decades of experience helping organizations across North America secure their digital assets. He holds CISSP® and CISA® certifications and is the author of The Secure CEO. As the founder of The Foster Institute, Michael has delivered over 1,500 keynote presentations and consulting engagements, equipping executives and IT leaders to strengthen their cybersecurity posture and defend against evolving threats.