The new Real-Time Payments (RTP) system holds great promise for increasing the efficiency of companies’ payment processes while meeting their customers’ demands for faster payments and improved messaging to support digital commerce. However, as adoption of the network accelerates, users need to be aware of an added risk: Fraudsters are likely to start targeting RTP transactions in business email compromise (BEC) scams.
Traditional BEC methods
In a BEC scam, the attacker gains access to a corporate email account or spoofs the owner’s identity to defraud the company. The attacker assumes a false identity to trick the target into sending money to the attacker’s account. The two most common types of attacks are:
- CEO fraud. The attacker poses as a high-ranking company executive, such as the CEO or CFO, and makes an email request of a junior employee, usually to transfer funds to a seemingly legitimate account that’s actually under the fraudster’s control.
- Fraudster masquerading as a vendor. This scenario is very similar, but instead of a company executive, the fraudster poses as one of the business’s vendors and requests its payment information be changed, with the stated reason often being that the vendor has initiated a new banking relationship. The employee initiates the payment and the scam goes undetected until the actual vendor contacts the company and asks why it hasn’t yet been paid. Sometimes the fraudster is aided by introducing malware into the company’s system to research which employee and vendor to involve in the scam.
BEC scams can be initiated through hacking and traditional account takeover methods using malware. On the other hand, when the method of attack is spoofing, fraudsters often use a sender email address nearly identical to a legitimate, expected sender address. For instance, an email purporting to be from vendor Best Plumbing (BestPlumbing@123.com) might actually come from BestPlurnbing@123.com. The legitimate and spoofed addresses appear the same. However, in the fraudster’s sender address, the “m” in “Plumbing” has been replaced by an “r” and an “n,” which at a glance can look like an “m.” Spoofing is easy to execute because the core email protocols don’t have any mechanism for authentication.
BEC has victimized many companies. However, if there has been a silver lining, it’s that BEC scams have traditionally attempted to redirect Automated Clearing House (ACH) and wire transactions, electronic payment types that can take multiple days to settle. This lag time between payment initiation and settlement gives targets and their financial institutions time to question and ultimately reject many such fraudulent payments, before the attackers can drain those funds.
Unfortunately, real-time payments don’t offer the same safety net.
Less settlement lag time = added risk
The Clearing House, the oldest banking association and payments company in the United States, launched the RTP network in late 2017. According to the association, “RTP will make everyday financial tasks such as paying bills, issuing invoices, making payroll or settling insurance claims faster, safer and more satisfying for businesses and consumers across the country.”
When it launched, just a handful of U.S. banks were conducting transactions through RTP. But many other financial institutions, including Fifth Third, are working to integrate their systems with the payment rail and plan to roll out RTP transaction capabilities. The stated goal of The Clearing House is to ensure every U.S. financial institution has easy access to the new network by 2020.
Despite the many benefits of RTP — including payment certainty, flexible messaging and improvements in speed and transparency — the new payment network exposes users to an element of heightened risk. RTP’s instantaneous settlement eliminates the lag time afforded by ACH and wire transfer payments, reducing the ability of banks and their clients to thwart BEC scams once fraudulent payments are initiated. As a result, RTP payments are anticipated to become more attractive targets for BEC scams when compared to ACH and wires.
Protecting your business
With more fraudsters expected to shift the focus of their BEC efforts to redirecting RTP payments, corporate treasury managers using the new rail should take these steps to protect against possible attacks:
- Increase fraud awareness. Educate employees responsible for initiating payments about common forms of business email compromise fraud.
- Institute dual controls. Always have different employees authorized to initiate and approve payments. That way, if the first employee is fooled by a fraudster’s email, you get a second chance to thwart the payment request.
- Establish call-back procedures. Train employees to challenge any suspicious emailed payment requests by confirming them directly with the party making the request. But have them use a channel other than email. For instance, they could phone a vendor that’s asking for a larger-than-usual payment or walk down the hall to ask an executive in person about a suspicious request.
- Employ Trusteer Rapport. To thwart the use of malware to further BEC scams, Fifth Third clients can download Trusteer Rapport security software for free from the bank’s website at http://www.trusteer.com/en/landing-page/fifththird. This endpoint detection and response technology works with existing anti-virus and firewall software to detect malware intrusions.