Large digital fish with big teeth representing Phishing Attack

Does your business have a Wire Transfer Policy?

Blog

You have heard us say many times at PACE that phishing attacks are on the rise. No one is safe from potential exploitation by a cybercriminal. To them it is a full-time job where their tasks are to acquire your identity, your passwords, and your money!  

A common tactic in the Phishing world is CEO Fraud or ‘Whaling’. This is when someone receives a convincing request, supposedly from a C-Level executive within their organization, requesting an invoice be paid right away, or a wire transfer be sent to pay an invoice. These emails are usually punctuated with a strong sense of urgency; “We need to get this invoice paid immediately or production is going to stop, and we will all lose our jobs!!!” or “If we don’t pay this settlement invoice right now the whole mediation could be at risk and we have to go to trial – we don’t want that!!!”

An email that looks like it is from the CEO or a senior partner with this sort of request can easily fall into a new employee’s hands that isn’t up to speed on the company’s policies. Even a seasoned employee that is just too busy to investigate the request properly is at risk. It can cost a company many thousands of dollars. Every business should have a Wire/Electronic Funds Transfer Policy in place and all staff should be aware of its contents.  

The following can be used as a framework to create or update your existing policy.  

Wire/Electronic Funds Transfer Policy Template

1. Purpose: 

Indicate the purpose of the policy. Something like: The purpose of this policy is to establish guidelines and procedures to safeguard the company's financial assets, prevent fraudulent activities, and protect against ransomware and phishing attacks associated with wire or electronic fund transfers.  

2. Authorization: 

Clearly outline who can execute a wire transfer or electronic fund transfer. It is advisable that your transfers must be authorized by designated individuals with the authority to initiate and approve financial transactions. This includes clear identification of approvers and the use of multi-factor authentication. 

3. Verification and Authentication: 

Use this section to clearly outline your verification and authentication process. For example: 

  1. All wire transfer requests must undergo thorough verification and authentication procedures. They are as follows: 
  2. List acceptable means for one to request a transfer (does your company have a funds transfer request form that can be checked for authenticity?)  
  3. Consider timeline enforcement (like a bank hold). This will help raise flags should an urgent request come through.  
  4. Consider transfer limits in this process. Establish additional layers of approval based on amounts requested. 
  5. Have a step where one can sign off that they have verified the legitimacy of the request through a secondary communication channel (e.g., phone call to a known number) before they process any wire transfer. 
  6. Have Dual Authorization in place for significant transfers. This involves approval from at least two authorized individuals. Expect that each authorizing member submits their approvals from separate devices and login credentials.  

4. Communication Security: 

Does your company use secure communication channels? List that here in this section, for example: 

  • Use secure communication channels for any wire transfer-related communication. 

  • Implement encryption technologies for emails, especially when transmitting sensitive financial information. 

5. Training and Awareness: 

It is highly advisable that organizations conduct regular training sessions for employees to increase awareness of phishing attacks and social engineering tactics. You can use this section to remind them that these courses are available and should be completed before executing any type of transfer.  

6. Vendor Verification: 

Have a place in your policy for how you manage vendor requests. For example, do you verify the legitimacy of new vendors and how often should you be updating vendor contact information? 

If your vendor submits banking changes, detail the process for validating this type of change request in this section as well. 

7. Reporting  

All organizations should foster a culture of awareness around cybersecurity. Use this section to encourage employees to report any suspicious emails, requests, or activities related to Wire/Electronic Fund Transfers immediately to the IT or security team.  

8. Monitoring and Auditing: 

If your company has a process for monitoring transfers, you will detail this here.  

Include if you will conduct regular audits to ensure compliance with the Wire/Electronic Fund Transfer Policy and to identify areas for improvement. 

9.  Approval and Adoption: 

This Wire/Electronic Fund Transfer Policy is approved by [Name of CEO or relevant authority] and is effective as of [Effective Date]. 

_____________________________________________

Some additional best practices: 

Review and Update: Regularly review and update the Wire/Electronic Fund Transfer Policy to adapt to evolving security threats and industry best practices. 

Compliance: Ensure compliance with relevant legal and regulatory requirements related to financial transactions and data protection. 

System Security: If you are a client of PACE, we regularly update and patch all systems and software to protect against known vulnerabilities. We also implement robust antivirus and anti-malware solutions to detect and prevent ransomware attacks. If you are not a client, regular updates and patches are an integral part of your internal security and should be performed as soon as they come up. 

Incident Response Plan: Develop and maintain an incident response plan to address any suspected or confirmed cases of ransomware or phishing attacks. All employees should be trained in the proper procedures to follow in case of a security incident. 

As a final note, you may also want to include a clause in your policy that explains what the discipline model looks like should someone on your staff fall victim. For example, is it mandatory security counselling? HR disciplinary meeting? Impact on your yearly performance review? Monetary penalty or termination? Spelling it out in your policy will help if it ever needs to be enforced but we truly hope you won’t need to!