Fraudsters around the world (and particularly in Eastern Europe) must thank their lucky stars every day for the presence of worldwide electronic connectivity. Our electronic togetherness has allowed them to rise from the ranks of risky blue collar crime to the lucrative anonymity of white collar crime, particularly in countries with lackadaisical law enforcement regimes more interested in resolving domestic, as opposed to cross-border, crime. Through the presence of the World Wide Web, criminals are focusing on cyber crime as their ticket to prosperity.
One of the most successful and elegant approaches is referred to as “account takeover.” In this scheme, fraudsters hammer various corporate addresses with messages that contain Trojan Horse key-logging software. If the message attachment is opened, a key-logging program is installed and the fraudster can then monitor the unsuspecting corporation’s traffic, waiting to pick up key information, such as passwords to enterprise, or third-party payroll, or accounts payable systems. Then, late one night before payday or a particularly active invoice payment cycle, the criminal logs on and creates a number of fictitious transactions (or modifies the payee account information in already staged transactions), which are then transmitted the next day, usually through ACH, but sometimes as wire transfers.
Typically, the scheme is facilitated by the hiring of so-called “money mules”, unsuspecting college students or other employment-hungry individuals, who are tasked to open bank accounts around the country that can receive the now fraudulent transfers. These money mules are frequently hired from public employment websites such as Monster.com, believing that they are working for a legitimate corporation. The mules are asked to await the transfer of funds into the account and then request that the bank wire out the funds, less the mule’s commission, to a well-disguised foreign bank account.
Hundreds of small to medium-sized companies around the United States have fallen victim to this scam over the past five years, discovering on payment day that their funds have been misdirected. Typical company losses have ranged from $200,000–$1,000,000 and are usually non-recoverable. The success of these schemes is dependent on corporate fraud control weaknesses that include such simple precautions as not allowing their payroll or payables computers to have general Internet access, neglecting to implement timely, dual-control procedures, or failing to demand and/or use account security or fraud detection software offered by their vendors.
While the primary target of fraudsters has been payroll applications—since several payments can be affected in one session—the more lucrative target may be large dollar payables, where one misdirected transaction may be extremely profitable. This activity raises a clarion call to corporations, particularly those growing rapidly and not focusing on their increased exposure, to ensure that internal procedures and vendor products are up to the task of addressing contemporary electronic fraud schemes. The presence of secure access controls, dual-entry approvals, and receiver account verification in such systems as Traxpay can be effective antidotes to account payable takeovers. The result? Corporate staff can sleep better at night while the bad guys toss and turn.