Fake Transfer Orders, What are They and How to Avoid Them

A Fake Transfer Order (FTO) consists of tricking the victim into transferring funds to an account held by the cybercriminal. The methods of an FTO can differ, sometimes the request appears to come from a senior manager and is presented as “urgent and confidential”. This is far more effective than you would think, even when such a request breaks the accepted rules of operations.

Another variant consists of the criminal mimicking the identity of a genuine supplier to communicate a change of bank details on which a payment must be made. A similar version uses the identity of an employee to request a change of the bank details to transfer their salary.  These fraud attempts can be the result of a genuine user account being hacked or simply clever manipulation of the email display name to make it appear genuine.

How do you protect your business against an FTO?

  • Make your employees aware of the risks of phishing messages aimed at stealing their passwords or other sensitive information. Reduce the risk further by using an email protection system which identifies and quarantines Phishing messages.
  • Issue clear procedures to authorised employees on the rules for authenticating issuers and confirming transfer requests, dealing with unusual requests, or validating changes in bank details.
  • Set up strict verification and validation procedure to manage unplanned transfer requests or acceptance of changes in bank details.
  • Review the publication of information (web site, LinkedIn page etc ) which enables crimminals to identify and contact your authorised employees to make transfer requests or changes to bank details. Cyber crimminals can harvest enough information from social media profiles to build convincing Spear Phishing messages.
  • Be aware that a data breach or leak which appears only to have exposed innocuous details such as your staff’s email addresses or position in the company may give the criminals enough information to initiate a Phishing attack. Ecrypting all of your data can mitigiate this.
  • Enforce complex passwords on email accounts and avoid using the same password for other systems, better still use a premium password manager.
  • Enable two-factor authentication on all accounts and all systems and services including SaaS services.

A simple but effective method of verifying if an email has originated from an external source, even if it appears to come from within your organisation, is to prepend a label of ”[External]” to the subject field of all incoming email messages. This will help to spot a fraudulent attempt regardless of how genuine it seems to be.

Remember, if you do fall victim to this type of scam, keep the evidence, phone numbers, messages, emails or anything else you have received; transfer orders, invoices and other information to report the scam to your bank, insurers and law enforcement.