Securing Funds Transfers (Out-of-Band Authentication and Other Considerations)

How to avoid becoming the next victim of funds transfer fraud

Funds transfer is the movement of funds from one party's bank account (sender) to another party's bank account (receiver). This process is heavily targeted by cyber criminals, in which they will redirect funds to a bank account under their control (otherwise known as funds transfer fraud). Funds transfer fraud is extremely damaging to any organization that is a victim of these attacks, as oftentimes attacks will involve a significant amount of funds and stolen funds are unrecoverable. Attackers will use various social engineering techniques such as email spoofing or business email compromise to carry out funds transfer fraud at organizations ranging from small local businesses to multinational corporations. On the bright side, protection against these types of attacks is possible and financially damaging repercussions can be prevented. 


Preventative Measures - Introducing OOBA

Out-of-band authentication involves using separate channels for authentication. For example, the channel that is used to authenticate a user is completely separate from the channel used by the user to log in or perform a transaction. 

An example of an OOBA implementation is a customer logging into their online banking account through their desktop. The user would login with their user ID and password and also receive a one-time passcode via text message to their mobile device. In this example, there are two distinct and separate communication channels - the ‘internet channel’ for the users desktop and the ‘wireless cellular network’ channel for the mobile device.

In the case of executing electronic payments, OOBA is a secondary verification method with the requester of a funds transfer through a communication channel separate from the original request. An example of this would be calling a known and trusted phone number to confirm a change in payment instructions sent via email from a vendor.

Performing funds transfer fraud would be quite difficult with this layered approach in place. This is because both channels would need to be simultaneously compromised for a threat actor to be successful. The use of separate channels mitigates the risk of a successful funds transfer fraud from taking place.


Why is OOBA important to prevent funds transfer fraud? 

Out-of-band transaction approval is used when approving outgoing monetary transactions, such as ACH or wire transfers. The goal of using out-of-band authentication is to prevent wire fraud from occurring, which is when a fraudulent transfer of money takes place. Cyber criminals will use tactics such as email account compromise or phishing to spoof a trusted vendor or senior executive. By using social engineering tactics, a cybercriminal can trick an employee into transferring funds to a fraudulent account. 

An example of wire fraud is an employee in accounting receiving an email from a vendor requesting a change in payment instructions. Without proper due diligence and validating the authenticity of the request, the employee transfers the funds to a cyber criminals bank account, only to discover a few days later that the vendor has not actually received any type of payment. 

In this example, the value of implementing out-of-band authentication can be seen. If the employee in the above scenario were to validate the change of payment instructions by contacting the vendor directly by phone, they would have detected the nefarious activity right away and avoided sending funds to the cybercriminals account. 

OOBA is important in preventing funds transfer fraud because it ensures that funds transfers are initiated, executed, and approved in a secure and authorized manner. Additionally, OOBA reduces the chances of a cybercriminal successfully completing a fraudulent funds transfer because most lack the time, resources, and technical sophistication to outmaneuver these security measures.


Best Practices 

  • Educate Employees on how to recognize and deal with phishing emails through employee security awareness training programs. 
  • Implement a Secure Email Gateway (SEG) to prevent spam, phishing and malicious emails from reaching your employees inboxes in the first place.
  • Enforce MFA on email accounts to prevent an account from being compromised and being used to initiate fraudulent funds transfer requests.
  • Train employees to validate and verify all payment requests with the vendor or requestor directly by phone using a known trusted phone-number to confirm the authenticity of the payment request and information (do not rely on the phone number in the email).
  • Include Response Steps in your Incident Response Plan should you experience funds transfer fraud. This should include steps for appropriate reporting to company management, the bank, law enforcement and your insurance carrier. 

Additional Resources