A Subtle Change in Policy Can Stop Wire Fraud: Inbound vs. Outbound Calls
The best strategy to prevent wire fraud is an out of band communication, or a phone call to a known good number. Insurance requires it and your bank recommends it. Be aware, not all phone calls are equal. An inbound phone call can lead to large losses! An outbound phone call WILL GUARANTEE that your money ends up at the correct destination.
The problem with inbound calls is the use of caller ID “spoofing.” Spoofing allows the criminal to alter the caller ID, so the call appears to come from a trusted party. If the trusted party is a contact in the phone, the party’s name and photo will appear.
The criminal will make it seems the are “doing a favor” by calling to confirm the change in bank information. Spoofing allows the criminal to gain confidence and verify the fraudulent transaction.
The solution is simple: always make an outbound call to a known good number. This completely eliminates the effectiveness of spoofed phone numbers and emails. While they can spoof any number when placing a call, criminals cannot receive a call on that same number.
To receive calls on a given number, the criminal needs possession of the phone or access to the carrier. Either of these methods are very difficult to conduct. In the event the criminal does pull it off, it’s critical to have a record of the call. Why? To prove the crime was the result technical intrusion and NOT social engineering. Cyber insurance has limited coverage for social engineering, but ample coverage for intrusions.
With so much at stake, criminals use every technique available to steal a business’s money. It is not safe to assume that the number on the caller ID is the person actually calling. Making an outbound call to a known, good number is the best way to ensure your transaction does not have bad instructions.
“We have seen written cash transfer policies that require a phone call to confirm banking changes. We recommend updating those policies to require ‘an outbound phone call to a known good number’ to confirm any changes. This is a subtle but vital distinction.”
Ryan Castle, CEO of Conduit Security