CUNA Mutual Group Risk Alert: Fraudulent Wires Requested via Email

Credit unions have recently reported fraud cases involving wires requested via email by fraudsters impersonating members, as well as credit union CEOs. The fraudsters hack members’ personal email accounts and send fraudulent wire requests to credit unions from within the hacked accounts or use look-alike email domains to send the wire requests. The CEO email fraud attempts involve fraudulent emails sent from within CEO’s hacked email accounts requesting wires to pay vendors.

Recent wire transfer fraud losses reported by credit unions involved fraudulent email requests. In some cases, the fraudsters hacked into members’ email accounts and sent wire requests to the credit union from within the hacked account making it appear the emails originated from the members. In other cases, fraudsters used a look-alike domain name to send emails to credit unions requesting wires.

Here are two examples:

  • A business member’s email account was hacked. The fraudster sent two emails from within the hacked account to the credit union requesting wires totaling $265,000. The branch employees failed to authenticate the requests as required by the credit union’s procedures.
  • A business member’s email domain was spoofed. The fraudster sent four emails from a look-alike email domain requesting wire transfers totaling $58,000.

The use of fraudulent emails to request wire transfers is very similar to the CEO email fraud scam or Business Email Compromise (BEC). This scam targets both businesses and individuals that perform wire transfers. According to the FBI’s recent report on BEC, total global losses between October 2013 and May 2018 reached $12.5 billion. Domestic losses for the same period reached $2.9 billion.

Credit unions are also reporting losses from the CEO email fraud scam:

  • In one case, the CEO’s personal email account was hacked. The fraudster sent three emails to the credit union’s CFO from within the hacked email account requesting wires totaling over $400,000 to be processed as soon as possible to pay a vendor. The wires were executed based on the fraudulent instructions.
  • In another case, the credit union’s CFO’s email account was hacked. The fraudster found emails the CFO exchanged with the Federal Home Loan Bank (FHLB) and sent an email to the FHLB requesting a wire. The fraudster set-up email rules to divert messages from the FHLB to the CFO’s deleted message folder. The credit union discovered similar rules set-up on the CEO and VP of Finance’s email account. There was no loss as the FHLB does not accept wire transfer requests via email.

Risk Mitigation
Credit unions should consider these risk mitigation tips:

Members requesting wire transfers by email:

  • Avoid accepting large wire transfer requests by email from members who do not have a signed wire transfer agreement on file. For members with a signed agreement, ensure the emailed request is authenticated in accordance with the security procedure established in the agreement.
  • Check the member’s account to determine if the email address was changed in the last 90 days.
  • Scrutinize the email address comparing it to the email address on file to detect spoofed emails.
  • Determine if this method of requesting wire transfers is normal for the specific member.
  • Require an out-of-band method for authenticating a member’s emailed wire transfer request. It should be noted that callback verifications combined with security questions are easily defeated by fraudsters. An out-of-band method leveraging the use of one-time-passcodes transmitted by email and/or SMS text message can be risky due to email accounts being hacked and the mobile phone port-out scam.

Internal wire transfer requests (e.g. from the CEO) received by email:

  • Prohibit employees from using personal email accounts for credit union business.
  • Use an out-of-band method for authenticating internal wire transfer requests received by email. Examples include verifying the request face-to-face with the requestor, calling the requestor’s extension or mobile phone.
  • Educate key employees on the CEO email scam.

Risk Prevention Resources
Access CUNA Mutual Group’s Protection Resource Center at cunamutual.com for exclusive risk and compliance resources to assist with your loss control. The Protection Resource Center requires a User ID and password. Review these to learn more: