A Q&A with Ryan Castle of Conduit Security
“Wire fraud” is a broad term that can encompass many different crimes—it’s also one of the top areas of cybersecurity threats today. To get a better grasp on wire fraud, why it poses a threat, and how it can be avoided, we talked to Ryan Castle, founder of Conduit Security, an independent security firm which specializes in wire fraud prevention.
Can you give us a glimpse into the world of wire fraud? Is this a growing problem?
First, it’s worth defining what we call “wire fraud.” For us, it’s a generic term that covers what you may have heard called business email compromise, social engineering, phishing, and wire transfer fraud. You can track the trends through the FBI reports, and in 2022, the number was $2.7 billion in reported losses.
What I can tell you is that these numbers are grossly underreported. Many organizations do not report these incidents to the FBI, so it could potentially be twice as much. The criminals are typically overseas and lost funds are very difficult to recover, so many organizations do not report losses.
Our second source of data is insurance carriers, and their numbers are also equally staggering—though, like the FBI, they are not getting completely accurate reports. Surprisingly, this crime is as large as—and in many cases eclipses—ransomware in terms of the dollar amounts lost.
Who is committing these crimes, and why?
Most of the cyber criminals that we’re talking about are in this for financial gain, and they are generally not trying to make an activist statement or acting on behalf of a nation state. Because it is so profitable, some criminals, who have traditionally been involved in ransomware, have actually been cross training with the groups involved in social engineering wire fraud schemes to learn about their tactics and techniques.
How is technology abetting their work?
The Federal Reserve has come up with an effective and instantaneous payment system called FedNow, which enables the movement of money to occur much more quickly domestically. This is going to be a benefit to wire fraud criminals because the quicker they can move money, the less likely it is to be recovered.
The second element is generative AI. Some crime attempts today are stopped because of language barriers and other tip-offs people have been trained to look for in phishing emails. But with the growth of generative AI, it’s become very easy for these guys to both surpass language barriers and write very convincing emails, documents, or invoices really quickly and at scale.
What are some of the most common instances of wire fraud happening today, and how do they typically occur?
There are so many variations, but to share a common fraud we see: there is a payment that your organization fully expects and intends to pay. Think of a legitimate invoice to a real vendor who’s actually provided services. What happens is that, somewhere along the chain of communication between you and the vendor, a bad guy becomes aware of this transaction. The criminals swap out the vendor’s legitimate banking instructions for their own.
That could be the account number and routing number on the invoice, details in an Excel spreadsheet on a funds flow statement, or information on a legal document. They use all these different techniques by modifying real documents, creating new documents, or just changing the body of an email. Frequently, payment instructions are coupled with a little bit of urgency. For example, submit the payment in X amount of time or incur fees or penalties.
How do these fraud attempts bypass detection?
Generally, this payment will pass all of the different approval levels in an organization, because it’s a routine payment that they’re intending to pay and the payment instructions in the bank will match the instructions on the invoice. Internal approvals are designed to prevent embezzlement and mistakes. What is missing is an audit trail to show who, if anyone, validated the instructions, how they validated them, and what was validated.
Are there any common characteristics among the victims you’ve seen?
This is a little bit surprising but among the victim organizations that I have worked with, all of them have had policies, procedures, training, and awareness in place. Many people think this is an issue stemming from a lack of good policy, training, and awareness. That is not the case.
What I have found is that even though organizations are aware and have fairly decent policies in place, the policies lack technical controls and are not realistic given the needs of the business. It comes down to deadlines and making risk-based decisions.
Are there any common misconceptions about wire fraud you want to clear up?
The biggest one is that people assume that there are many internal approvals that will safeguard against fraud. But if it’s a real vendor, a real invoice with a correct amount, it’s easy to miss the social engineering component.
Another common misconception involves bank callbacks and bank protections. Most organizations have the correct bank protections in place, where banks will call back to verify with someone other than the creator of the electronic transaction to ask if you intended to make the payment. But the bank is ensuring they have proper approval from your organization—not validating that you have the correct instructions for payment. The bank cannot be held liable once they have a recording of you or your CFO or controller releasing the payment.
How does insurance account for this type of fraud?
It’s going to fall under social engineering coverage, which may be under your criminal policy versus your cyber policy. What we’ve seen is that people generally do not have very much coverage, and some have zero coverage here. Either way, the amounts are significantly lower than what is covered in your traditional tech intrusion type of cybercrime.
Social engineering coverage is limited by carriers due to the frequency and size of these crimes. We often see people who have a false sense of security that it’s covered. It takes a deep understanding and a thorough reading of your policy to really dig out what the actual coverage is.
What can companies do to protect themselves from wire fraud?
Understand the risk your organization faces, and this comes down to how many electronic payments you are making. This includes ACH payments for vendor invoices and one-off wires for investments or closings. What type of insurance coverage do you have for this risk?
From my experience, many people have a very good grasp on the typical financial controls around preventing embezzlement and mistakes. What is generally not as strong is the prevention of these social engineering issues. Social engineering is generally thought of as a cyber crime issue that the IT team handles.
I disagree with that and view wire fraud as an issue that the finance team needs to own and solve. The team must have a repeatable and scalable system in place to help you address this fraud. If you think about any other financial control that’s in place, generally there is a policy or procedure and then there will be a technical control that enforces those policies and procedures.
For example, organizations will have a policy that states two different people must create and release payments. That alone is not sufficient. To enforce that policy, the organization will configure payment software to require dual sign-offs or require their bank to contact the CFO before releasing payment.
The big gap in wire fraud is a lack of technical controls used by finance teams to ensure that the verification policy is followed. Additionally, any system or technical control has got to fit in with your business. It can’t slow down payments and deals or people won’t use it. Arm your finance team with a tool that allows them to move quickly while helping them make good risk-based decisions.
It should be very evident when transactions are safe, and we can all collectively move very quickly. When transactions are unusual or risky, the finance team will spend their time on those riskiest transactions. Finally, this system should be made transparent, so we can be very clear about what everybody has done and who has been responsible for approvals.
Any final thoughts to share with our readers?
Money lost through wire fraud is very, very hard—if not impossible—to get back once it’s been sent. After 24 hours, you likely won’t be able to recover it. Building a system and having a tool that, number one, arms finance people who are responsible for initiating these payments to make sure that they are making the right decisions; and number two, creates a financial approval process to really expose those steps to everybody in the chain. That way, as a team you can work together and hold each other accountable to ensure that this crime doesn’t happen.
Conduit Security is very happy to engage with anyone, whether it’s conducting a risk assessment, helping you to understand your policy, or identifying gaps in your process. Secondarily, we are very happy to engage with you to help put a process into place that won’t slow you down. Our goal is to ensure that you are not at risk for social engineering wire fraud.
To learn more about Ryan Castle and Conduit Security, visit their website.
To learn more about Mark Greisiger, visit this page.
