David Pollino, a fraud prevention officer at Bank of the West, has been losing sleep lately over a type of cyberfraud for which he's coined a term — masquerading.
Masquerading is a combination of social engineering and a confidence scam, using high-tech tools. A criminal impersonates a high-level executive at a company, often the CEO, and sends an email that looks like it came from that person, or calls, spoofing the executive's phone number. Then the criminal gets others in the organizations to do something, such as send a wire transfer or make an automated clearing house payment.
The bank is typically not the direct victim here, its business client is. But banks need to identify and block such exploits, or risk getting sued by their clients.
Pollino, who is also a senior vice president at Bank of the West (a $67 billion-asset San Francisco unit of BNP Paribas), learned about the scheme last year from law enforcement and from other banks that were victims of it. He has become a crusader of sorts, warning everyone he can about the dangers of masquerading. We spent some time with him Thursday finding out more about this threat and what can be done about it.
BTN: How are "masqueraders" able to pass themselves off as their victims?
Pollino: We've seen takeover of email accounts as well as fraudulently set up email accounts. Some use a domain that looks similar to the legitimate domain, so if someone was not paying attention they would think the email was coming from the legitimate domain. And when you think about how much information is being shared on social media today by industry groups... criminals who are targeting a specific industry or company can find out a lot about a company's corporate structure from LinkedIn.... So they can figure out a bit about the corporate structure, then do reconnaissance online, and gather enough information so they can put together something that looks legitimate for a financial transaction to take place. The C-suite executives within a company are good targets because they're easy to find, they're in news articles, government filings, and social media. And they typically have large transactional capability. When it comes to pleasing C-suite executives, many in the company want to go above and beyond and sometimes that might mean violating certain well-established business practices.
Do the masqueraders need to learn about the inner workings of a company, how they handle transactions and their banking relationships, to carry out these attacks?
In many cases, when it comes to normal accounts payable and supplier arrangements, companies have mature processes around getting a purchase order issued, getting the right levels of approval. But when it comes to things like investing in a new company or making arrangements to pay large vendors, for some reason the infrastructure is not as mature or robust and could be more of a target for this type of masquerading fraud. They don't have secondary authentication and a way of validating details of the transaction. In some cases an email or phone call may be considered enough. That is the point of vulnerability.
Has Bank of the West been a target of such attacks?
We've heard about it from law enforcement agencies and other financial institutions and know this kind of attack has been ongoing for a significant period of time, but we don't discuss details of our customers and internal bank processes.
What technology do you use at the bank to try to detect and stop masquerading?
We have a suspicious activity monitoring system. For regulatory reasons, we have to know our customers and their transactions, but it also makes very good business sense. When something takes place outside our customers' normal pattern of activity, we reach out to the customer, find out if this is fraud, a mistake or just a deviation from normal business practices. If they've been fooled by the transaction, we ask them a few thought-provoking questions. Did this come in over email? Is it confidential in nature? Is it time sensitive? Have you independently verified the transaction details with the recipient? By asking some questions you can stimulate additional review on the customer side to define these things. So it's important for us to not only know about the tactics being used out there, but also have good processes internally so we can help protect our customers in any place.
I wonder if, over time, banks will stop accepting wire transfers based on emails. I've also heard of schemes where fraudsters have been able to forward the phone number of the wire transfer approver the bank has on file to their own number temporarily and impersonate that person, and then switch the number back.