According to the Association of Certified Fraud Examiners (ACFE), the average organization loses about 5% of its revenue to fraud each year. Today’s fraud comes in many forms, and one that has begun to occur with greater regularity is wire transfer fraud. Just ask the Texas-based company Orion. Last August, the company reported losing $60 million due to a transfer fraud scheme.  And Orion is not alone. The Consumer Financial Protection Bureau reports that the number of wire transfer fraud claims it has received has jumped from 88 in 2020 to 355 in 2023.

As with most problems, understanding is the first step in curbing this fast-growing issue. Wire transfer fraud occurs when scammers convince a company to send money to a fraudulent account. While weeding out suspicious requests like this may seem rudimentary, it’s not. Criminals are using sophisticated techniques that security systems are unable to detect.

How a Wire Transfer Fraud Begins

A typical wire transfer fraud starts with a business email compromise (BEC), where the fraudster either gains access to a legitimate employee email account or creates a fraudulent one using publicly available data. In the latter case, the fraudster will often generate an email using the name of a high-ranking executive or trusted vendor, someone that most people wouldn’t question.

In both cases, the accounts look legitimate and tend to slip through the cracks of standard bank account validation processes (don’t get me started on those). Little action is taken initially, allowing the scammer to build up sufficient trust while avoiding suspicion. Once credibility has been established, the fraudster acts. This action can manifest itself in many forms.

For one, it could be a payment change request where they ask for funds to be sent to a new account. Or the scammer posing as a trusted vendor sends fake invoices for work that was never delivered, with the payments sent to a fraudulent account. Whatever the case, scammers often create a false sense of urgency with the request, hoping to create additional pressures that result in the victim skipping common questions and fulfilling the request immediately.

What About the Victims?

So, where does this leave the victims? It starts with examining their current systems. Most victims will learn that these systems fail because they are looking for clear signs of malicious activity. Think phishing attack. However, fraudsters succeed because they use sophisticated social engineering tactics that don’t sound alarming. For example, earlier this year in Hong Kong, attackers impersonated a CFO during a video conference, leveraging deepfake technology to dupe a finance employee into making a fraudulent $25 million wire transfer. Yes, this example is far less typical than when a criminal takes over an employee’s email account, but the result is the same.  Solutions such as Secure Email Gateways (SEGs) fail to detect any unusual behavior because, as far as they are concerned, none exists.

Behavioral AI tools also miss the mark. These tools use AI to analyze, predict, and respond to human behavior patterns. Are they powerful tools? Of course, but that doesn’t mean they are without fault. Like the examples above, behavioral AI tools excel in spotting unusual behavior, but their effectiveness significantly diminishes when everything is “business as usual.” Fraudsters count on this, and it’s why they are committed to playing the long game, exhausting weeks and months, acting like a typical employee before eventually acting.

Armed with solutions that cannot detect threats, companies must shift their approaches to those that span the entire payment process from email security to anomaly detection of atypical account changes in other areas, such as enterprise resource planning (ERP) platforms. One example is duplicate invoices, which occur when the scammer submits the same invoice multiple times but with slight variations, such as different dates or invoice numbers.

A duplicate invoices campaign may not seem like the best get-rich-quick tactic, but according to the Washington State Auditor’s Office, organizations make duplicate payments ranging from 0.8% to 2% of their total costs.  Another study from SAP Concur found that small to medium-sized companies could be processing as much as $12,000 monthly in duplicate invoices.

Many traditional email-focused tools overlook ERP systems, which include many business operations and data types. They are also extremely complex, so many email security tools cannot monitor and protect them, opening the door to fraudsters.

AI Solutions

Stopping wire transfer fraud requires solutions powered by AI, which are far more effective than traditional solutions because they can monitor all of a company’s operations. With AI, organizations can examine emails for subtle tone changes and spot suspicious links. These systems can also scrutinize all parties included in the communication chain and then create risk and trust scores that provide teams with an early warning of potential incidents so that potential threats can be addressed immediately.

Understanding a business’s vendor supply chain is essential because these smaller third-party companies often lack the same security infrastructure. As a result, these businesses are perfect targets for scammers, who ultimately leverage their weaker defenses to gain entrance into larger businesses. By gaining visibility into the vendor supply chain, teams can enforce security protocols and close the doors on any fraudster looking to gain entrance.

Unless businesses shift their traditional approaches, all efforts to spot malicious activity will fall short. Spotting fraudulent actors hiding behind seemingly normal day-to-day behavior requires AI. More specifically, AI-powered systems that can integrate into all payment processes, see the warning signs that other systems cannot, and ultimately mitigate all threats.