Pub. 4 2015 Issue 1

9 S P R I N G | 2015 F E A T U R E Frequently this wire request has a sense of urgency to it. This money is then quickly bounced around through multiple banks, typically ending in Hong Kong or China. The criminals target high level employees within the organization that have the authority to initiate wires. There are three basic versions of this attack. Version one sends an invoice to the business from a long standing supplier with payment instructions to a fraudulent account. Version two involves compromising the e-mail of a high-ranking execu- tive (CFO, CTO, etc) either through spoofing or hacking. The executives e-mail then sends the wire request. Version three involves hacking an employee’s personal e-mail account and sending requests for invoice payments. This scam can cause significant financial loss, both to the business and their financial institution. Court battles are taking place to decide if the customer is financially liable for the crime. However, even if customers are held accountable, financial institutions could still lose a customer and suffer significant reputational loss. Many small business lack even basic information tech- nology and security controls. Banks should work with their customers to ensure they are protecting themselves. Custom- ers should be encouraged to follow NIST 7621 to help build a security framework. The bank should also require two step verification on wires initiated by business accounts. This should be an opt-out process that requires the customers to choose not to participate, rather than opt-in. The verification process should also require multiple channels of commu- nication. If the wire request is sent via e-mail, it should be validated through a phone call. This level of organized cybercrime is very profitable. It is also extremely difficult to catch and prosecute the criminals. Therefore banks and business need to stay ever vigilant. Se- curity Awareness training should be offered not only to bank employees, but also their customers. Conclusions Business E-mail Compromise (BEC) is a growing threat that Community Bank’s need to be aware of. Continued secu- rity awareness training for customers and effective risk man- agement on all commercial customers is a critical component for all community banks. It is key for community banks to utilize the expectations set in the FFIEC Authentication in an Internet Banking Environment guidance and the Conference of State Bank Supervisors (CBSB) CATO guidance to implement a risk assessment of each commercial customer, implement appropriate layered controls based on their risk, and ensure continued education for customers. Please visit www.protect- mybank.com to see how we help community banks around the country address these issues.