Avoiding Financial Social Engineering & Cyber-Fraud

Category: Information Security
Date Established: 1/3/2019
Date Last Updated: 6/5/2024
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer

On this page:

Summary

This guideline provides anti-fraud advice to employees in finance-related roles, to help prevent fraud, theft, inappropriate use, and other misuse of financial funds and information.

Guidelines

  1. Identify (inventory) and record all client funds and/or accounts you control.  Ensure each fund/account has contact information for verification and preferred procedures for doing so, including as appropriate (the more, the better): telephone number, fax number, cell phone and text message number, physical mailing address, and email address.  Include emergency/breach contact information and procedures as well.
  2. If you accept fund transfer instructions from customers or clients by phone, email, text, video call, fax, or similar method (all of which can be faked or compromised), always use the above inventory to authenticate any such instructions, and:
    • Call the customer at the pre-determined number.
    • Send a text message to the pre-determined number.
    • Pre-establish a verification code with each customer, then require it.
    • Send mail to their physical address confirming the request.
    • When engaging in a video call with an individual who is requesting an account change it is recommended to instruct them to look left, right, up or down, as a generic AI deepfake won’t necessarily be prepared to do the same.
  3. Provide anti-fraud training to all employees responsible for wire transfers and financial account changes including but not limited to social engineering, deepfakes, phishing, and other scams.
    • Training should be conducted annually.
    • Employees must report any new or perceived threats to the Information Security Office.
  4. Verify all vendor/supplier bank accounts by directly calling the receiving bank using pre-recorded or pre-published official contact information, prior to establishing payment method and/or entries in accounts payable system(s).
  5. Confirm all changes to vendor/supplier details (including routing numbers, account numbers, telephone numbers, and contact information) by a direct call using only the contact number previously provided by the vendor/supplier before the request was received.
  6. Confirm all changes requested by the vendor/supplier to a person independent of the requestor of the change, with any changes being implemented only after the vendor/supplier has confirmed them.
  7. Perform all international and domestic funds transfer procedures consistently across all business units.
  8. Confirm all requests from leadership and senior officials (including your supervisor) in-person, or with another official or supervisor within your department, especially if requests are emailed, or they seem urgent and involve large amounts of money.
  9. Watch for a pattern of fraudulent messages and attempts within the last twelve (12) months, purporting to be from customers, vendors, or employees, intending to direct transfers of your funds.  It only takes one to succeed and if you’re being targeted, they may become more sophisticated and real-seeming or convincing over time.
  10. Monitor financial news, information sources, and user groups in higher education and similar industries for warnings and awareness of attempts at other institutions, so they can be avoided. Share warnings and details (as permitted) with them as well.

Background

Attempts at fraud and social-engineering (tricking people) including deepfakes, phishing and form-fraud are on the rise, and where successful can result in reputational loss and losses of thousands of dollars, and this advice helps remind employees of what to watch out for, and how to improve practices for avoiding or preventing fraud in their areas. 

Applicability

Supervisors and employees with finance, purchasing, and contract-related roles, and significant finance-related tasks and processes.

Contact Information

Office of the Vice President and Chief Information Officer
Email: vpcio@buffalo.edu
Phone: 716-645-7979

Information Security Office
Email: sec-office@buffalo.edu
Phone: 716-645-6997