Key takeaways
  • Fraudulent wire transfers remain a problem for private funds CFOs.
  • Establishing clear protocols can help protect organizations from common social engineering schemes.
  • A mix of technological and human controls offers the most comprehensive detection and mitigation coverage.

As a private funds CFO, you oversee many payments to many people and entities. In my two decades of working with private funds clients, I’ve seen that every one of those payments could be a target for fraud.  And once a fraud is perpetrated, even if you recover most or all of the funds, the reputation damage can be fatal. In at least one case that I know of, even though the firm was able to recover most of the funds after a fraud event, the firm’s biggest investor withdrew a planned commitment, forcing the fund to shut down.

For example, imagine your team is preparing a quarterly distribution to LPs. A longstanding investor responds to an existing email thread, asking to update their banking details ahead of the upcoming wire. The request comes from a known contact, looks routine and the timing makes sense. Your team updates the instructions and wires several million dollars. Days later, the real LP calls asking where their distribution is. That’s when you discover the original email account had been compromised and the funds were routed to a fraudulent account.

Email compromise attacks are common largely because they’re simple and effective for criminals to execute. Last year, they cost businesses more than $3 billion1 in the United States, according to the Federal Bureau of Investigation. In my experience, they can be devastating for an organization, with reputational, legal and regulatory costs that outstrip the funds stolen.

Fortunately, I’ve seen an increasing number of ways for organizations to defend themselves from such attacks. Improving controls in multiple areas can help set up a “Swiss cheese” defense where even if a control fails at one level – say, a phishing attack succeeds – the organization gives itself additional chances to identify and mitigate the attempt before any lasting damage can occur. Here are eight questions I like to ask to make sure an organization’s protection against funds transfer fraud is up to snuff:

Once a fraud is perpetrated, even if you recover most or all of the funds, the reputation damage can be fatal.

1. Do you require layered verification for all financial requests?

Money has to change hands before somebody can steal it. Building airtight protocols around any alterations to payment requests can stop well-intentioned changes from becoming disastrous.

  • Require two people to approve any change to standing payment instructions. The more eyes on each transaction, the more likely you are to catch something unusual.
  • Implement a “call-back protocol” in which accounts payable staff must use a previously verified communication channel to confirm any unusual requests, especially if those requests come from executives. Never use the contact info provided in the communication requesting the change.
  • Require staff to verify all banking changes, unusual or not, using a known, previously validated phone number.

2. Do you enforce strict email security controls?

Most email systems have built-in controls to help reduce the chances of a successful phishing attack. Make sure you understand what tools are available in your system – and turn them on.

  • Use email banners that flag external senders with messages such as, “This email originated outside the organization.” Encourage your staff to pay close attention to these flags, especially when messages include links.
  • Enable tools that open email links and attachments in a safe, isolated environment so malicious files can’t infect employees’ computers.
  • Your email host should offer guidance on setting up email authentication tools (e.g., SPF, DKIM and DMARC) which do behind-the-scenes checks to confirm an email actually came from the address in the “from” field.

3. How strong is your vendor management process?

I prefer for organizations to formalize protocols for vendors that make legitimate requests to update contact and bank account information. Having a formal process in place makes it more difficult for criminals to try to force you to take unnecessary shortcuts.

  • Maintain a centralized, verified vendor directory that includes approved contact methods so your teams have a single, easily accessed source of truth for that information.
  • Require vendors to follow a secure change-request protocol to change the information in that directory (for example, a written request followed by phone verification).

4. Do you encourage a “pause and validate” culture?

Criminals often circumvent protocols by pressuring people to move quickly. To defend against that tactic, I recommend training staff to slow down if they feel pressured, rushed or manipulated.

  • Establish a hard rule that all financial approvals must follow established accounts payable workflows and protocols, without exception, no matter who makes the request.
  • Make it safe to question unusual requests, no matter who they appear to come from, even if the sender appears to be a high-ranking executive from your organization or an external one.
  • Reinforce the message that no one will be punished for taking steps to prevent fraud  

5. How strong are your technology controls?

Use technology to your advantage. AI-based controls can detect patterns of fraudulent behavior and help reinforce good security practices.

  • Use AI-based fraud detection to flag unusual behavior or payment deviations so your team can follow up on them.
  • Enable and enforce multi-factor authentication and disable outdated email access protocols (such as IMAP and POP) that can allow users – or attackers – to bypass it.

6. Do you conduct regular fraud simulations?

It’s better to catch weak spots in your defenses through tests than through experience. Keep your staff and your protocols up to date.

  • Run realistic business email compromise and invoice fraud tabletop exercises with accounts payable, treasury and executives.
  • Test staff regularly using simulated fraud attempts in addition to phishing tests.

7. Have you segregated duties in finance operations?

I advise against placing all the responsibility to detect and prevent potential fraud on a single person. Two people working together have a better chance of identifying an unusual request than one person working alone.

  • Different employees should be responsible for approval, accounting/reconciling and asset custody.
  • No single person should be able to initiate, approve and record transactions.

8. Do you monitor financial accounts daily?

Since every transaction is an opportunity for fraud, regular monitoring is critical. The sooner you catch something unusual, the sooner you can take action to mitigate it.

  • Set up real-time alerts for outgoing wires or ACH changes.
  • Ensure daily reconciliation to shorten the time window for detecting fraud.

Stay on top of cybersecurity controls

Cybersecurity is an ongoing, multifaceted effort in every organization. Identifying threats and assembling controls to mitigate those threats is the first crucial step. Reviewing controls and shoring up additional areas of weakness should be a regular, ongoing process as well.

FAQs

What is funds transfer fraud?

Funds transfer fraud is the redirection of a legitimate payment to a fraudulent account. Typically, cybercriminals use a compromised business email account or another form of social engineering to convince an authorized party to redirect an upcoming payment to a bogus account.

What is a call-back protocol for wire fraud prevention?

A call-back protocol is a requirement to use a previously verified communication channel to confirm any unusual requests, rather than the contact info provided in the communication requesting the change.

How does out-of-band authentication help prevent fraud?

Out-of-band authentication is a security protocol that requires users to verify their identity through at least one additional communication channel, such as a mobile device. This extra step can help ensure the authenticity of instructions.

How often should private equity firms conduct fraud simulations?

Private equity firms should conduct fraud simulations on a regular basis, ideally monthly.