David Pollino, a fraud prevention officer at Bank of the West, has been losing sleep lately over a type of cyberfraud for which he's coined a term masquerading.
Masquerading is a combination of social engineering and a confidence scam, using high-tech tools. A criminal impersonates a high-level executive at a company, often the CEO, and sends an email that looks like it came from that person, or calls, spoofing the executive's phone number. Then the criminal gets others in the organizations to do something, such as send a wire transfer or make an automated clearing house payment.
The bank is typically not the direct victim here, its business client is. But banks need to identify and block such exploits, or risk getting sued by their clients.
Pollino, who is also a senior vice president at Bank of the West (a $67 billion-asset San Francisco unit of BNP Paribas), learned about the scheme last year from law enforcement and from other banks that were victims of it. He has become a crusader of sorts, warning everyone he can about the dangers of masquerading. We spent some time with him Thursday finding out more about this threat and what can be done about it.
BTN: How are "masqueraders" able to pass themselves off as their victims?
Pollino: We've seen takeover of email accounts as well as fraudulently set up email accounts. Some use a domain that looks similar to the legitimate domain, so if someone was not paying attention they would think the email was coming from the legitimate domain. And when you think about how much information is being shared on social media today by industry groups... criminals who are targeting a specific industry or company can find out a lot about a company's corporate structure from LinkedIn.... So they can figure out a bit about the corporate structure, then do reconnaissance online, and gather enough information so they can put together something that looks legitimate for a financial transaction to take place. The C-suite executives within a company are good targets because they're easy to find, they're in news articles, government filings, and social media. And they typically have large transactional capability. When it comes to pleasing C-suite executives, many in the company want to go above and beyond and sometimes that might mean violating certain well-established business practices.
Do the masqueraders need to learn about the inner workings of a company, how they handle transactions and their banking relationships, to carry out these attacks?
In many cases, when it comes to normal accounts payable and supplier arrangements, companies have mature processes around getting a purchase order issued, getting the right levels of approval. But when it comes to things like investing in a new company or making arrangements to pay large vendors, for some reason the infrastructure is not as mature or robust and could be more of a target for this type of masquerading fraud. They don't have secondary authentication and a way of validating details of the transaction. In some cases an email or phone call may be considered enough. That is the point of vulnerability.
Has Bank of the West been a target of such attacks?
We've heard about it from law enforcement agencies and other financial institutions and know this kind of attack has been ongoing for a significant period of time, but we don't discuss details of our customers and internal bank processes.
What technology do you use at the bank to try to detect and stop masquerading?
We have a suspicious activity monitoring system. For regulatory reasons, we have to know our customers and their transactions, but it also makes very good business sense. When something takes place outside our customers' normal pattern of activity, we reach out to the customer, find out if this is fraud, a mistake or just a deviation from normal business practices. If they've been fooled by the transaction, we ask them a few thought-provoking questions. Did this come in over email? Is it confidential in nature? Is it time sensitive? Have you independently verified the transaction details with the recipient? By asking some questions you can stimulate additional review on the customer side to define these things. So it's important for us to not only know about the tactics being used out there, but also have good processes internally so we can help protect our customers in any place.
I wonder if, over time, banks will stop accepting wire transfers based on emails. I've also heard of schemes where fraudsters have been able to forward the phone number of the wire transfer approver the bank has on file to their own number temporarily and impersonate that person, and then switch the number back.
I would recommend to any financial institution or company that an email by itself should not be enough to get a wire initiated. Email by itself is not good enough for Bank of the West, and it shouldn't be good enough for our customers. There should be other business processes established to validate the details of the wire and the legitimacy of a wire and make sure it's not an account that's being taken over or a copycat domain that's been set up.
Do you have a sense of the volume and scale of these attacks?
It's been around for well over a year, probably closer to two, in various forms. We've gotten a number of inquiries, notifications from law enforcement groups as well as other financial institutions. We also, along with our international business partners, have gotten indication that it's an international scheme. Because there hasn't been a way to describe it, it's been tough to dig in and figure out how big the problem is. That's one of the reasons why, as we figure how we can effectively communicate with our customers, we wanted to put this term "masquerading" on it. That way, hopefully as things move forward, if more folks use the term "masquerading," it will be a little bit easier for us to go back and do analysis and figure out how big the issue is and who's impacted. The more we can wrap people's minds around this concept, the more they'll be aware and hopefully not fall victim to the scheme. If you're doing research on it, if you search "wire fraud and email," you get millions of hits coming back. It's difficult without a label on it to really figure out exactly what you're talking about.
Are there technologies that help prevent masquerading?
Having good authentication is important, and validating through a second communications channel can help out. The suspicious activity monitoring is critical. When that earmarks a suspicious wire, that gives the bank the chance to hopefully think twice about the transaction, how it's been originated, the details around the transaction. And hopefully stimulate enough conversation and thought within the company that at that point they would realize the transaction was fraudulent, and not wait for the CEO or the month-end reporting or whatever mechanism would uncover the fraudulent activity.
It's not just about the bank systems or bank authentication. It's about having good operational practices at the client company. That's why we're doing what we're doing. We're trying to get out there proactively to our customers and the customers of other institutions and say, "think about your internal processes, think about these large financial transactions you execute in the course of doing business every single day. Do you have any weak spots? Is there anything you could be doing inside your company to validate the transaction?"