Fraud Involving Wire Transfers and ACH Authorizations
Do you have adequate controls over wire transfers or ACH transactions?
Recently, several of our clients have been victims of fraudulent wire transfers and ACH schemes. In all cases, the wire transfer or ACH request was communicated to the person authorizing the transaction via email. The valid email account of the manager, employee or vendor was hacked and the hacker made a request for either fraudulent wire transfers for what appeared to be valid payments to vendors or changes to payroll ACH transactions.
To prevent processing fraudulent wire transfers or ACH transactions, management should put controls in place. Wire transfers and ACH transactions should always be verified by a phone conversation with the individual initiating the request via a phone number management has on file. The hacker may have changed the number shown on the email signature, so do not call the phone number listed in the email. Establishing a procedure where a second individual must authorize any wire transfers for a specific Association would further strengthen the controls over wire transfers. Whenever possible, wire transfers should be limited to situations where payment cannot be made by check.
In addition, remind all employees to change their email passwords at least monthly. Check with the Association’s insurance agent to find out if additional insurance coverage is needed to cover this type of fraud, such as cybersecurity insurance. If the Association already has this type of coverage, the Association should verify that the coverage levels are adequate.