Holger Ebert: Higher education institutions are facing a fraud universe today unlike ever in history. We’ve got ideas to help mitigate those risks.Erin Gore: Yep.
Holger: I’m Holger Ebert.
Erin: And I’m Erin Gore, thanks for joining us for our Higher Ed and Nonprofit Banking Insights. More than anything, we want to provide you a better experience. We know that timely and relevant insights that are useful to you—and we want to bring them to you.
Holger: Helping our clients succeed is important to everyone at Wells Fargo and especially the teams focused on our higher-ed and not for profit clients. And every episode is a reminder that your Treasury Management Consultant is always available to discuss topics in more detail.
Erin: If you don’t have one, there’s contact information right here on the page.
Holger: Look at you making things convenient. Heh!
Erin: Ha! Alright Holger, let’s get to the topic at hand—Fraud.
Holger: Mmm hmm.
Erin: WannaCry wreaked havoc across the world, 200,000 computers were hit across 150 countries. Luckily, very few higher-ed institutions reported incidents related to the attack.
Holger: Wow, that’s amazing. Well Erin, as you know, ransomware is a huge problem. According to Symantec, on average, there are 992 ransomware attacks per day. And here’s the issue—ransomware, and most vulnerabilities that fraudsters exploit, rely on phishing and I don’t mean for bass.
Erin: Heh, heh.
Holger: According to darkreading.com, 91% of all cyberattacks start with a phishing email.
Holger: But with our clients in the government and institutional universe, in addition to ransomware and other hacking, we’re seeing a considerable amount of vendor fraud.
Erin: Holger, let me tell you about some of the experience our clients have had. Unfortunately, many of them have had some pretty serious fraud attacks just this year. Almost all of them have started with a phishing email or in some cases, and you may not believe this, just a low tech letter snail mail coming in.
Holger: No way.
Erin: One university in the Northeast received a letter from their contractor asking them to change the account to which the wire payment would go to. They had all the necessary paperwork and they mailed it in. A month later, this university got a phone call from the actual contractor, wondering why they hadn’t been paid. And yet another case, our client mailed out a check to a vendor, which was then stolen in the mail with the payee name changed. Unfortunately, because reconciliation was fairly slow, the client didn’t realize it until seven months later.
Holger: So Erin, what you’re telling me is that not even snail mail can be trusted.
Erin: Nope. So let’s talk about some of the battle armor to combat fraud.
Holger: Yeah. Erin, that’s a great term. It is some practical battle armor. First, your network and systems are constantly being scanned by hackers for vulnerabilities, so keep your antivirus software and patches up to date. Second, use dual custody, especially for wire payments. And don’t give your token ID to someone else. And never to anyone claiming to be with Wells Fargo, unless you know them or were transferred to them by someone that you know. Because fraudsters will impersonate bank personnel, including reaching out to you posing as IT support after they have hacked your systems.
Holger: Third, in the event you are hacked, you can improve your recovery time if your business continuity plans include processes, skills, and relationships to address cyberattacks and terrorism. Additionally, you should back up your data regularly and store critical data offline. Fourth, to place a ceiling on your exposure, consider cyber insurance. And finally, your staff is trained to efficiently and effectively get things done. So they need to be educated on imposter fraud and be empowered to trust their gut. If it doesn’t feel right it probably is not.
Erin: Holger, thanks for the battle armor. Here are some examples and considerations that are unique to higher-ed.
Erin: First, decentralized payers and approvers all over campus are very characteristic of a higher-ed institution. This creates real control challenges. Large construction projects on campus—all a fraudster has to do is walk around, see the name of the contractor on a sign and then they know exactly who they need to impersonate to get a very large payment. There are predictable vacation schedules for staff—this means you’re short-staffed, not everyone can be everywhere at the same time, and occasionally corners get cut which is exactly what the fraudsters want.
Erin: Your university bank account information is wildly accessible—maybe it shouldn’t be. Take steps to make that only accessible to people who really need to know. Finally, you are serving the best and brightest, very smart individuals with lots of free time who may be trying to game the system and get a payment from you.
Holger: So Erin, what’s the bottom line for higher-ed?
Erin: Keep vigilant all the time. And remember that timing matters—the faster you catch the fraud, the more likely you are to recover.
Holger: Well said. Well, Erin, none of us want to cry.
Holger: So for more great cybersecurity and fraud information check out Wells Fargo Treasury Insights by typing digital.wf.com/treasuryinsights into your browser.
Erin: It’s a great idea. And remember, your treasury management consultant is another resource. For now, I’m Erin Gore.
Holger: And I’m Holger Ebert.
Erin: Thanks for joining us for our Higher Ed and Nonprofit Banking Insights.
Announcer: Commercial banking products and services are provided by Wells Fargo Bank, N.A. Investment banking and capital markets products and services are provided by Wells Fargo Securities, and are not a condition to any banking product or service. Wells Fargo Securities is the trade name for certain securities-related capital markets and investment banking services of Wells Fargo & Company and its subsidiaries, including Wells Fargo Securities, LLC, member NYSE, FINRA, NFA, and SIPC, and Wells Fargo Bank, N.A., acting through its Municipal Products Group. Municipal derivatives services are provided by Wells Fargo Bank, N.A., a swap dealer registered with the CFTC and member of the NFA. © 2017 Wells Fargo Bank, N.A. All rights reserved. Member FDIC. Sources cited: Symantec Internet Security Treat Report—April 2016 and Darkreading.com’s Endpoint post—December 13, 2016.
For more information, contact your Wells Fargo representative or fill out the Contact Us form on this site.
By Erin Gore, Executive Vice President, Division Manager — Higher Education & Nonprofit Banking, Wells Fargo Bank and Holger Ebert, Senior Vice President, Division Manager — Treasury Management, Government & Institutional Banking, Wells Fargo Bank