Wholesale Banking

Wholesale Banking

Security

This webpage describes the most frequent cases of fraud which may impact on your business as well as advice to protect you against it. As you will see fraudsters are clever and very organised. The cases of fraud presented are not exceptional, they happen every day worldwide. Beware.

We recommend that you distribute this webpage in your company. Advise all directors to read it as well as anyone with power of attorney over the company’s accounts. Fraudsters often target the latter.

Unfortunately total protection does not exist, as fraud is often linked to a human factor. Nonetheless if you communicate and apply the recommendations made in this leaflet in your business you can restrict the risks considerably. 

CxO fraud

What is Corporate fraud - CxO fraud? 
What are the consequences?

CxO fraud includes all types of fraud, where fraudster acts with stolen identity of managerial company employee. This identity is gained via social engineering. Social engineering is the fact of gathering information about a target company in order to manipulate an in-house person of such company to take action (often to make a payment) or disclose confidential information.

What happens?

  1. Fraudsters will contact your company by email or phone, acting as auditors, chartered accountants or even a government department undertaking an investigation. By doing that, they gather information on your company’s internal payment procedures as well as on the people who are authorised to make them. Also, information on social media (LinkedIn, Facebook…) might help fraudsters to identify employees involved in payment procedures or identifying staff being away on holiday with the intention to impersonate them in order to commit fraud.
  2. They contact company employees with rights to make large payments posing as the CEO, CFO or other senior manager, referring to a decision to possibly take over a foreign rival, or other event requiring a major transaction. Usually, in these scenarios the fraudster says that the transaction must be executed urgently and with the utmost secrecy.
  3. The fraudsters may even refer to an external consultancy (whose identity they have stolen) to make the operation more credible. “The consultant” then contacts the target employee to confirm the transaction and reiterates the secrecy and urgency of the payment to be made. If the employee hesitates the fraudsters will use several tricks to create pressure such as name dropping top executives in the company, flattery or even threats.

What safeguards to take?

  • Always be cautious when funds are asked to be transferred urgently and secretly.
  • In the event of an urgent request, always call back the person who made the request on a known phone number.
  • Implement segregation of duties like dual signing permissions, where at least two separate people have to sign payments. Also make sure that signing is always done properly, following company`s protocol, not just sign off based on trust.
  • Do not allow people to share authorisation devices (e.g. cards and PIN numbers).
  • Ask employees to limit the level of detail in their social media expressions on the role they occupy within the organisation.
  • Another safeguard: appoint a reference employee (who is neither the CEO nor the CFO) who must be contacted when a confidential or urgent transaction is requested. Such person can contact the company director personally to check the authenticity of the request. Caution: such powers may not be known outside the company.

Variants of this fraud

Several varieties exist, such as fraudsters posing as lawyers, notaries, police officers, helpdesks, etc.

 

E-fraud

What is E-fraud?
What are the consequences?

E-fraud covers phishing and malware infections. It can affect your company or your private life. Whatever the case, cyber criminals will try to steal money by recovering identification codes and electronic signatures from their victim. With these codes, they transfer funds to their accounts and empty your bank accounts instead.

What happens?

  1. Supposedly, you receive an email from your bank that claims one of the following: 
    - the bank is doing a security check,
    - your account will be blocked or
    - the bank is changing some of its services.
    The aim is to get you to click on a link that diverts you to a false identification page that looks similar to your online banking.
  2. On that page, you enter your access codes that can be easily retrieved by criminals. With your codes, they have access to your online banking and can execute transactions on your behalf. For execution of transaction, fraudsters need to have signature code.
  3. To obtain your signature code, they will phone you and ask you to insert your card in your card reader (this is called vishing), or you will see a screen asking you to wait a few minutes. Once the time has past, a new screen will appear and ask you for your signature code (dynamic phishing).

What safeguards to take?

  • Ensure a safe work environment by distributing and applying the information about safe eBanking ING has provided on ingwb.com (section Security & Fraud - Online security).
  • Keep your pin and generated security codes secret. Never reveal these secret codes to anyone who asks for them, e.g. on the phone, in email, via SMS, WhatsApp message or face-to-face.
  • Never generate a security code when not accessing or using online banking yourself.
  • Always check the details, e.g. amount and beneficiary account number, of all payments you are about to sign.
  • Always close the active web browser session properly by clicking on ‘Log out’. Never leave your computer unattended when you have an active session: Close the session and lock your computer.

Proper management of online means of payment

Some corporate behaviours can facilitate the task of fraudsters and increase your exposure to fraud:

  • Poor management of dual signing: 
    Dual signatures is a means for detecting and preventing fraud. The person who must add the second signature has a second look at the transaction, should not be involved in the transaction itself and can easier detect fraud. Never leave both signatures in the hands of the same person and check what you are signing. Always make sure that first and second signers use different PC’s (in case of electronic verification), as this will increase your chance of detecting fraudulent payments created by malware.
  • Shared access:
    Don’t use shared authorisation devices. This will improve security for the company and for the person who will only be able to act in accordance with its permissions.

Variants of this fraud

  1. You receive a call from a fraudster pretending to be a bank employee. He/she asks you to perform some sort of security check or “update”, which means you have to give them the codes with your smartcard and reader. The fraudster will use these to access your personal eBanking profile and sign transactions on your behalf.
  2. Your computer is infected with malware. Such infections typically occur from opening attachments, links from malicious e-mails or from visiting compromised websites that exploit vulnerabilities in your web browser or operating system.

 

Invoice fraud

What is Invoicing fraud?
What are the consequences?

Invoicing fraud is manifold. In all cases, the fraudsters will change the banking details of the company which issued the invoice to indicate their own and, as a result, receive the amounts invoiced.

What happens?

  1. The criminals intercept the invoice between the time it is posted and its receipt, by hacking the mail accounts used for sending invoices by email, by registering a domain that looks alike the original senders one (so-called domain typo squatting), or by impersonating an existing relation such as a supplier.
  2. The fraudsters change the invoice to reflect their own banking details on it. A new invoice is compiled with the new details, with the ‘fraudsters’ banking details and mentioning a change of bank, etc. Then the invoice is sent again.
  3. The invoice is received and paid to the new bank account number. It is highly likely that the following invoices will also be paid to the wrong account until the real issuer of the invoice realises that their invoices have not been paid and contacts the debiting company.

What safeguards to take?

  • Validate the invoice: Did you expect the invoice and the amount it’s stating? Are the supplier details unchanged compared to previous payments?
  • Any change in your suppliers’ details (address, phone number, email address, account number, etc.) must result in a phone call to a verified number (not to the number indicated on the invoice itself), to check the validity of the requested change.

Variants of this fraud

The debiting company receives an email from what looks like its supplier, stating a change of bank and account number. The message will seem legitimate because it will bear the suppliers’ letterhead. In this case, all pending invoices as well as subsequent invoices will be paid to the new account number.
Whatever the scenario, the aim of the criminals is to make a change to what we call the suppliers details (phone number, bank references, email address) in order to steal funds.

 

Who to contact in case of doubt or fraud?

In case of doubt or fraud contact Local Anfi-fraud officer via e-mail anti-fraud<AT>ing.sk or by phone +421 2 593 46 361.

For matters connected with other ING entity than ING SK contact wb.fraudalert<AT>ing.com or contact local Anti-fraud Officer of respective ING entity.

If you notice attempted fraud or if fraud has occurred in your businesses, immediately inform your ING contact. By calling your bank quickly, you will increase the likelihood of recuperating the funds embezzled.

Other formalities with the authorities can also be required (filing a complaint with the police, etc.). Our specialists can also advise you on the steps to be taken.

 

Published information is offered for purely information purposes by ING and has no contractual value. Consequently it may, under no circumstances, serve as a basis to hold ING liable in particular if, despite these recommendations, your company is a victim of any of the fraud detailed in this webpage.