Risk Warning Regarding the Increased Use of Compromised E-mail Accounts to Commit Fraud11th March 2015
The Commission is aware that there has been an increase in the number of attempted, and in some cases successful, frauds on customer bank accounts held with local financial institutions. This has occurred via the use of compromised e-mail accounts or through the "piggy-backing" of e-mails. These fraudulent attempts are being made across a wide range of financial institutions with as yet no identified pattern as to how customer e-mail accounts are being accessed.
The common characteristics of this activity appear to be the following. A financial institution will receive an e-mail allegedly from one of its existing customers. The email is designed to give the impression that it has been written and sent directly from the customer. The e-mail typically requests that funds (often in amounts that would ordinarily not give rise to additional scrutiny) be paid away to another account held in another jurisdiction. In some cases the account has been in the client's name, but is in actual fact controlled by the fraudster.
The Commission has liaised with the FIU and drawn on experience from the industry in order to identify the following steps which businesses should consider adopting to manage this risk:
- Due to the non-face-to-face nature of e-mail Instructions, businesses should be alive to the risks of e-mails being used for identification fraud.
- When an instruction is received by e-mail, businesses should ensure that they verify those instructions via a telephone call to a party authorised to give instructions. This should occur whether the instruction is to change the details of a customer or to transfer funds to or from an account.
- Any e-mail address should be validated against existing records. Further enquiries should be undertaken if the e-mail address is not familiar or has not been previously used to correspond with the business.
- Any requests for payments to accounts based in jurisdictions where business has not previously been undertaken by the customer, which is not consistent with the expected activity of the customer or whether there is a recognised heightened risk of corruption, bribery or where there is a known risk of poor or weak AML/CFT measures, should be the subject of additional enquiry and verification prior to any payment being processed. Where there is uncertainty, the matter should be canvassed with a member of senior management and where a suspicion is formed, with the MLRO or Nominated Officer.