On January 17, 2017, officials in Farmington, Connecticut disclosed that the town was recently the victim of a multi-million dollar theft likely perpetrated by sophisticated cybercriminals operating in China. The thieves intercepted a $2 million dollar Automated Clearing House (ACH) transfer that was intended as payment to a local company for work on a large town project.
The theft, which serves as a stark reminder to organizations of the need to assess and update their money transfer internal controls, is the latest in a string of cyber fraud schemes exploiting ACH, Society for Worldwide Interbank Financial Telecommunication (SWIFT), and other money transfer systems. Similar thefts of municipal money have been reported in Kansas, Texas, and New Hampshire, and attacks on banks in Ukraine, Bangladesh, and Ecuador have resulted in losses ranging from $10 million to $81 million.
The exact methods used by the Farmington thieves have not been disclosed, but analysis of similar attacks suggests that the criminals exploited weaknesses in money transfer procedures to gain access to ACH transfer instructions and then make changes directing the money to different accounts. Similar methods have been used to fraudulently redirect funds transferred via ACH, SWIFT, and traditional wire transfer. It is important to note that attackers using these methods are not “hacking” or breaking into the ACH, SWIFT, or wire transfer system, but are instead manipulating personnel into mistakenly making transfers to unintended recipients.
In response to the rising number of money transfer thefts, SWIFT recently published a set of 27 security controls designed to prevent and detect fraudulent use of the SWIFT network infrastructure. These controls will become mandatory for all SWIFT customers beginning in 2018.
Regardless of mandate, all organizations making use of SWIFT, ACH, wire transfer, or other money transfer networks should assess the strength of their internal controls and implement compensating control mechanisms in order to minimize the possibility that staff, employees, or management might be manipulated into unknowingly transferring money to cyber-criminals. As a best practice, many organizations now mandate that all money transfer instructions be confirmed by phone, to a number not provided solely in the transfer instructions, in order to eliminate the risk that a fraudulently altered email results in a transfer to a criminal account.