Avoiding Financial Social Engineering & Cyber-Fraud

Category: Information Security

Date Established: 01/03/2019

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer

On this page:

Summary

This guideline provides anti-fraud advice to employees in finance-related roles, to help prevent fraud, theft, inappropriate use, and other misuse of financial funds and information.

Guidelines

  1. Identify (inventory) and record all client funds and/or accounts you control.  Ensure each fund/account has contact information for verification and preferred procedures for doing so, including as appropriate (the more, the better): telephone number, fax number, cell phone and text message number, physical mailing address, and email address.  Include emergency/breach contact information and procedures as well.
  2. If you accept fund transfer instructions from customers or clients by phone, email, text, fax, or similar method (all of which can be faked or compromised, especially email), always use the above inventory to authenticate any such instructions, and:
    • Call the customer at the pre-recorded number
    • Send a text message to the pre-determined number
    • Pre-establish a verification code with each customer, then require it
    • Send mail to their physical address confirming the request
  3. Provide anti-fraud training to all employees responsible for wire transfer and financial account changes including but not limited to social engineering, phishing, and other scams.
    • Repeat periodically (annually) and alert of new or worrisome ways and threats
  4. Verify all vendor/supplier bank accounts by direct call to the receiving bank using pre-recorded or pre-published official contact information, prior to establishing payment method and/or entries in accounts payable system(s).
  5. Confirm all changes to vendor/supplier details (including routing numbers, account numbers, telephone numbers, and contact information) by a direct call using only the contact number previously provided by the vendor/supplier before the request was received.
  6. Confirm all changes requested by the vendor/supplier to a person independent of the requestor of the change, with any changes being implemented only after the vendor/supplier has the opportunity to confirm them.
  7. Perform all international and domestic funds transfer procedures consistently across all business units.
  8. Confirm all requests from leadership and senior officials (including your supervisor) in-person, or with another official or supervisor within your own company, especially if emailed or they seem urgent or hurried and involve large amounts of money.  Don’t be afraid to verify/ask.
  9. Watch for a pattern of fraudulent messages and attempts within the last twelve (12) months, purporting to be from customers, vendors, or employees, intending to direct transfers of your funds.  It only takes one to succeed and if you’re being targeted, they may become more sophisticated and real-seeming or convincing over time.
  10. Monitor financial news, information sources, and user groups in your own and similar industries for warnings and awareness of attempts at other institutions, so you can avoid them.  Share warnings and details (as permitted) with them as well.

Background

Attempts at fraud and social-engineering (tricking people) including phishing and form-fraud are on the rise, and where successful can result in reputational loss and losses of thousands of dollars, and this advice helps remind employees of what to watch out for, and how to improve practices for avoiding or preventing fraud in their areas. 

Applicability

Supervisors and employees with finance, purchasing, and contract-related roles, and significant finance-related tasks and processes.

Contact Information

Office of the Vice President and Chief Information Officer
517 Capen Hall
Buffalo, NY 14260
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Website: http://www.buffalo.edu/ubit.html

Information Security Office
201 Computing Center
Buffalo, NY 14260
Phone: 716-645-6997
Email: sec-office@buffalo.edu
Website: http://security.buffalo.edu