Pub. 7 2019 Issue 3

www.uba.org 14 M any financial institutions find themselves in a difficult posi- tion as a growing number of their customers find themselves as targets of business takeover attacks. In these scenarios, hackers gain access to company funds through a variety of manipulation scenarios, often tricking an internal employee to send a wire transfer. The financial institution is often stuck in the middle; while it may not be respon- sible for any wrongdoing, customers typically turn to it for guidance and help recovering funds. This situation is similar to a person who drives a car recklessly but blames the mechanic when something breaks. Some companies have ineffective controls around their bank accounts or make poor decisions when sharing banking infor- mation. Regardless of the bank’s lack of involvement in a fraudulent transaction, it will likely receive the first call when money goes missing. Data from RSM’s recent Middle Market Business Index Cybersecurity Special Report shows that organizations are be- coming more concerned about business takeover threats. The survey found that 64% of middle market executives think their businesses are at risk of an attempt to manipulate employees in the coming year, a 9% increase from the previous year’s data. These attacks are growing in popularity among criminals because of their low-tech and low-risk nature, combined with their potential for signif- icant rewards. Business takeover cases are simple on the surface, but can have complex details. For example, a portfolio company from a private equity company recently required additional funds and sent an email to the PE firm’s chief financial officer. A hacker took control of the portfolio company’s email, sent a follow-up email with the hacker’s bank account information and received a fraudulent wire transfer. The CFO quickly recognized that some- thing was wrong and called the bank. In this situation, the company and the hack- er used the same bank, so the institution froze the funds. Unfortunately, the hacker was subsequently able to convince the institution to release the funds and wire the funds out of the country. While financial institutions are not re- quired to work with customers to encour- age stronger protections against takeover threats or modify internal processes to identify fraud, making some small adjust- ments can make a big difference to help deter criminals. EDUCATE YOUR CUSTOMERS Many banks do not coach customers on how to discourage takeover threats or help them understand the importance of the tools at their disposal. For example, many institutions have two factor authentication enabled for wire transfers, but many cus- tomers choose to disable it, creating unnec- essary vulnerabilities. Any time a customer wants to turn off controls, the bank can step in to help them understand how social engineering works and why those controls exist. Coaching has value and can help a client avoid a painful experience. In addition, banks should provide securi- ty information and offer training to their clients on a regular basis to help under- stand threats and the role the bank plays. The bank needs to have more visibility into emerging risks and what behavior and activity clients need to avoid. Fur- thermore, financial institutions can use these touchpoints to check on the status By Jay Schulman and Loras Even STUCK IN THE MIDDLE: HOW BANKS CAN MANAGE CLIENT TAKEOVER ATTACKS