New Wire-Transfer Scam Can Ravage Higher Education Schools’ Funds
The latest wire-transfer scam making the rounds could hit higher education institutions especially hard. Because so many colleges and universities interact with international students and foreign suppliers, they are particularly susceptible to this recent and insidious assault on their information technology and targeted employees. The FBI is referring to this sophisticated scam as “business email compromise,” or BEC, and institutions that send foreign wires are at greatest risk.
To protect your institution, it’s important to know how the scam works, what you can do to minimize your exposure, and how respond to an instance of attempted or successful BEC fraud.
How the scam works: targeted emails from a “trusted” source
In one version of the scam, an email that appears to come from a high-ranking school official (e.g., president) is sent to the CFO or an employee in the finance or accounts payable department with wire transfer capabilities, requesting urgent payment of an invoice. Everything about the email appears legitimate: the address, the sender’s signature, and the supporting attachments with amounts due and payable — but it in fact is sent from the scammer posing as the school official. The employee processes the payment without giving it a second thought, unwittingly depositing the institution’s money into a fraudulent account. Usually he or she is eager to accommodate the “urgent” request from a ranking leader and responds dutifully and quickly.
In another method, a scammer impersonates a vendor who an employee directly transacts with on a regular basis. The imposter-vendor and the employee exchange niceties via email, possibly discussing personal details specific to that employee, then the vendor requests payment of an invoice attached to the email. The sham vendor often says the payment is overdue and that the employee needs to process it right away to avoid late fees or disruptions in service. Not wanting to disappoint after such an engaging and friendly conversation, the employee complies.
How the scam originates: quietly penetrating email systems
In most BEC cases, the victim’s email has previously been hacked or compromised unbeknownst to the organization. The fraudsters spend a great deal of time studying their victims, learning how they communicate, identifying who performs what functions, and eventually precisely targeting the employees with the ability to perform the wire transfer. They are so well prepared and in possession of so many personal details that it can be difficult to detect the fraud.
What you can do to protect your institution
Colleges and universities can implement several best practices to avoid becoming the victim in these scams:
- Communicate to employees about BEC scams and call on them for heightened awareness.
- Be on the lookout for “urgent” requests for payment or sudden changes in business processes, such as a vendor requesting payment outside of the normal protocols.
- Ensure that wire-transfer procedures, especially those over a certain dollar amount and/or those to foreign banks or suppliers, require vendor call-back protocols.
- Engage a specialist to perform periodic vulnerability or penetration tests to determine if your system is susceptible to attacks and validate that controls are functioning as intended.
- Train employees to be skeptical of a request for payment, and instruct them to ask another individual with the school’s finance team to verify its legitimacy.
The FBI also asks that any known compromise, regardless of dollar amount, be reported immediately by filing a complaint to IC3, a joint partnership between the FBI and the National White Collar Crime Center.
How we can help
CLA’s higher education practitioners join forces with our firm’s information security specialists to develop best practices for wire-transfer policies and procedures. Our IT security consultants are trained and equipped with the most advanced software and tools to perform assessments on your system, root out vulnerabilities, and shore up security.