CUNA Mutual Alert: CEO Email Fraud Leads to Wire Transfer Losses Posted by AVCU on 10:00 AM

CUNA Mutual has releases an alert reporting that credit union member and employee email addresses are being hacked or spoofed to initiate fraudulent payment requests. These payment requests (usually wire transfers) have the potential to be very high dollar amounts. Credit unions can reduce their exposure level to these financial and reputational risks by being aware of the warning signs and implementing appropriate procedures.

The Background
A 270% increase in CEO fraud attempts since January 2015 has been reported by the FBI. In addition, these attempts and victims have not been isolated, but rather located in every state.

These CEO fraudulent schemes involve spoofing or imitating a business executive’s email request to initiate a wire transfer. CEO fraud is accomplished by either phishing an executive and gaining access to that individual’s inbox or emailing employees from a look-alike domain name. These spoofed domains may only be one or two letters off from the targeted member, or employee’s true domain name. For example, if the target domain was “ABC1cu.com” the thieves might register “ABClcu.com” (substituting the letter “L” for the numeral 1). Unlike traditional phishing scams, the spoofed emails used in CEO fraud are rarely detected by spam filters because they are targeted to one individual within the credit union organization.

In cases where executives or employees have had their inboxes compromised, the perpetrators will examine the victim’s email correspondence for key terminology like “payment” or “deposit”. The perpetrators will then create a request appearing to be from the executive to initiate an urgent payment – typically for an investment or “confidential matter.”

A message may also be sent delegating authority to an attorney or another third party to provide payment or changes to previously established payment instructions. In at least one case, the credit union’s email system was compromised which led to a fraudulent email request for a large wire transfer.


Risk Mitigation
Credit unions should:

• Implement a process for validating internal requests and use commercially reasonable security procedures as expected under Uniform Commercial Code Article 4A (UCC 4A) for member-requested transfers.
• Review and encourage further examination of all emailed member, and internal wire transfer requests determined to be in conflict with a normal, pre-established pattern of behavior.
• Train employees to recognize, and further investigate public email accounts (e.g., Gmail, Yahoo) in an executive’s name; as well as email domains that appear legitimate, but may be a variation of the official email domain: ABC1cu.com vs. ABClcu.com.
• Special attention should be paid to wire transfer requests that claim urgency, insist on   confidentiality, and require immediate confirmation following the execution of the wire, and those that demand all future communication be handled via email only.
• Require secondary internal approval for any payment requests, as well as payment instruction changes to internal credit union systems.
• Require out-of-band, direct contact verification to any member emailed wire transfer requests, or requests to change established payment instructions.
• Have written agreements following the provisions of UCC 4A with any businesses members that request wire transfers. The agreements should clearly specify the commercially reasonable security procedures that the parties are agreeing to follow, and that the business should be liable for any fraud that occurs through their systems.
• Remove lists of employees, titles and email addresses from your website as this can assist the fraudster in knowing the organizational structure.

Risk Prevention Resources
Access CUNA Mutual Group’s Protection Resource Center at cunamutual.com for exclusive Risk Management resources to assist with your loss control needs. If you are viewing this Alert as a PDF, you will be required to sign-in to access the related resources.

• Online Risk Assessment: Funds and Wire Transfer
• Krebs on Security article, FBI: $2.3 Billion Lost to CEO Email Scams
• FBI release: FBI Warns of Dramatic Increase in Business E-Mail Scams

Contact CUNA Mutual Group Risk Management at 800.637.2676 or use Ask a Risk Manager for additional risk insights and to learn how Risk Management can assist your credit union.