Download

Fraudsters are increasingly taking advantage of the disruption caused by COVID-19 to target businesses. The most common type of scam involves the attacker impersonating one of your suppliers, which will normally look something like this: If you ever receive an email asking for a payment to be sent to a new bank account, contact the sender via telephone to verify the request. It’s important to be aware that fraudsters: Will make the email look like it has been sent from a known contact or supplier Can make it look like the request is replying to an earlier email Try to make the attempt look as normal as possible – e.g. expected value, normal timing, genuine invoice numbers, etc. Best practice advice: Always call a known telephone number; do not use any numbers given in the email Ensure that two employees check any payment being sent to a new beneficiary Be particularly wary of requests to send a payment to an account held in a different name, or located in a different country The pandemic is already causing significant challenges for businesses; by following the guidelines above, you can help ensure that fraud does not add to the burden. For further resources, please visit our Fraud Prevention webpage. To access the full infographic, Download PDF

Fraudsters are increasingly taking advantage of the disruption caused by COVID-19 to target businesses. The most common type of scam involves the attacker impersonating one of your suppliers, which will normally look something like this:
<img style="display: block; margin-left: auto; margin-right: auto;" src="https://www.citibank.com/commercialbank/solutions/fraud-prevention/assets/img/icons/email.jpg" width="653" height="466" />
If you ever receive an email asking for a payment to be sent to a new bank account, contact the sender via telephone to verify the request. It&rsquo;s important to be aware that fraudsters:
<ul>
<li>Will make the email look like it has been sent from a known contact or supplier</li>
<li>Can make it look like the request is replying to an earlier email</li>
<li>Try to make the attempt look as normal as possible &ndash; e.g. expected value, normal timing, genuine invoice numbers, etc. </li>
</ul>
<img style="display: block; margin-left: auto; margin-right: auto;" src="https://www.citibank.com/commercialbank/solutions/fraud-prevention/assets/img/icons/icon-set.jpg" width="762" height="113" /> 
<h4 class="text-cyan" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 15px; font-weight: lighter; width: 1110px; text-align: left; background- line-height: 1.2em; font-size: 1.625rem;">Best practice advice:</h4>
<div class="mb-15" style="box-sizing: border-box; font-size: 16px; text-align: left;">
<div class="row row-eq-height" style="box-sizing: border-box; display: flex; flex: 1 0 100%; flex-wrap: wrap; margin-right: -15px; margin-left: -15px;">
<div class="col-md-12 col-12" style="box-sizing: border-box; position: relative; width: 1140px; padding-right: 15px; padding-left: 15px; flex: 0 0 100%; max-width: 100%; display: flex; flex-direction: column; margin-right: -0.25px; margin-left: -0.25px;">
<ul>
<li>Always call a known telephone number; do not use any numbers given in the email</li>
<li>Ensure that two employees check any payment being sent to a new beneficiary</li>
<li>Be particularly wary of requests to send a payment to an account held in a different name, or located in a different country</li>
</ul>
The pandemic is already causing significant challenges for businesses; by following the guidelines above, you can help ensure that fraud does not add to the burden. For further resources, please visit our Fraud Prevention <a class="text-cyan" style="box-sizing: border-box;" href="https://www.citibank.com/commercialbank/solutions/fraud-prevention/en/" target="_blank" rel="noopener">webpage</a>.
</div>
</div>
</div>
To access the full infographic,&nbsp;<a style="box-sizing: border-box;" href="https://www.citibank.com/commercialbank/solutions/fraud-prevention/assets/pdf/bec-fraud.pdf" target="_blank" rel="noopener">Download PDF</a>

Fraudsters are increasingly taking advantage of the disruption caused by COVID-19 to target businesses. Learn what a typical email attack might look like.

This is what fraud looks like

What to do in the Event of Fraud Act Quickly Review and urgently determine if fraud has occurred; every minute may count. To report fraud, contact the following: Credit Card Fraud — Contact the number on the back of your card. Other types of fraud including ACH, CitiBusiness® Online, checks and wires — Contact your Citibank representative. Use the “F” Word Be prepared to state “fraud” — not “potential fraud” or similar as banks may not act on “potential” issues — and confirm this in writing/email. Alert Citi and/or Beneficiary Bank Immediately Citi will initiate recall actions. The shorter the time between a fraudulent transaction and detection, the greater the chance of recovery (ideally less than 48 hours, thereafter the prospect of recovery drops off dramatically). Provide the Details Beneficiary banks and others will need clear background information before they will act. Some jurisdictions make the recovery of misappropriated funds more difficult than others, so you may require further actions to recover your assets. For example, there may be legal restrictions on freezing/returning funds locally, or providing information on the identity of the beneficiary or remaining balance without a court/police order. There may also be certain processes that you, as the sender, may need to follow. Further Recommended Steps Reason/Example Engage internal fraud/security resources Bring in subject matter experts Report to local law enforcement as soon as possible — obtain a copy of the report or take a crime reference number Beneficiary banks may expect/ request this Independently review all recent transactions and logs for other suspect payments or unusual activity Look for other potentially fraudulent activity that may have occurred Independently secure your bank accounts to prevent further misuse For example, disable system users, implement payment exception approval process, etc Alert any other banks you may hold accounts with In case fraudsters attack other bank accounts Send an internal alert to increase awareness and vigilance In case of further contact/attempts, unless there is a concern of internal compromise Retain and hold any potential evidence for investigation Examples of evidence include email correspondence, audio logs, desktop PCs Consider appointing legal counsel, forensic consultants or private investigators to represent/assist you if necessary Some jurisdictions can be more difficult to navigate than others With your legal advisers’ direction, question employees carefully to seek verification of their activity and keep written records of responses. Ensure your employee’s recollection of events is accurate

What to do in the Event of Fraud
Act Quickly
<img style="float: left;" src="https://www.citivelocity.com/elemental/elemental.40c09bc4.svg" alt="" width="96" height="96" />
Review and urgently determine if fraud has occurred; every minute may count. To report fraud, contact the following: Credit Card Fraud &mdash; Contact the number on the back of your card. Other types of fraud including ACH, CitiBusiness&reg; Online, checks and wires &mdash; Contact your Citibank representative. 
Use the &ldquo;F&rdquo; Word
<img style="float: left;" src="https://www.citivelocity.com/elemental/elemental.40c09bc4.svg" alt="" width="96" height="96" />
&nbsp;
Be prepared to state &ldquo;fraud&rdquo; &mdash; not &ldquo;potential fraud&rdquo; or similar as banks may not act on &ldquo;potential&rdquo; issues &mdash; and confirm this in writing/email. 
&nbsp;
&nbsp;
Alert Citi and/or Beneficiary Bank Immediately
<img style="float: left;" src="https://www.citivelocity.com/elemental/elemental.40c09bc4.svg" alt="" width="96" height="96" /> Citi will initiate recall actions. The shorter the time between a fraudulent transaction and detection, the greater the chance of recovery (ideally less than 48 hours, thereafter the prospect of recovery drops off dramatically). 
&nbsp;
Provide the Details
Beneficiary banks and others will need clear background information before they will act. Some jurisdictions make the recovery of misappropriated funds more <img style="float: left;" src="https://www.citivelocity.com/elemental/elemental.40c09bc4.svg" alt="" width="91" height="91" /> difficult than others, so you may require further actions to recover your assets. For example, there may be legal restrictions on freezing/returning funds locally, or providing information on the identity of the beneficiary or remaining balance without a court/police order. There may also be certain processes that you, as the sender, may need to follow.
&nbsp;
<table class="MsoTable15Grid4" style="width: 100%; border-collapse: collapse; border: none; height: 502px;" border="1" cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 31px;">
<td style="width: 50%; border-top: 1pt solid black; border-bottom: 1pt solid black; border-left: 1pt solid black; border-image: initial; border-right: none; background: black; padding: 0in 5.4pt; height: 31px;" valign="top">
Further Recommended Steps
</td>
<td style="width: 50%; border-top: 1pt solid black; border-right: 1pt solid black; border-bottom: 1pt solid black; border-image: initial; border-left: none; background: black; padding: 0in 5.4pt; height: 31px;" valign="top">
Reason/Example
</td>
</tr>
<tr style="height: 47px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; background: #cccccc; padding: 0in 5.4pt; height: 47px;" valign="top">
Engage internal fraud/security resources
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; background: #cccccc; padding: 0in 5.4pt; height: 47px;" valign="top">
Bring in subject matter experts
</td>
</tr>
<tr style="height: 65px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; padding: 0in 5.4pt; height: 65px;" valign="top">
Report to local law enforcement as soon as possible &mdash; obtain a copy of the report or take a crime reference number
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; padding: 0in 5.4pt; height: 65px;" valign="top">
Beneficiary banks may expect/ request this
</td>
</tr>
<tr style="height: 50px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; background: #cccccc; padding: 0in 5.4pt; height: 50px;" valign="top">
Independently review all recent transactions and logs for other suspect payments or unusual activity
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; background: #cccccc; padding: 0in 5.4pt; height: 50px;" valign="top">
Look for other potentially fraudulent activity that may have occurred
</td>
</tr>
<tr style="height: 48px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; padding: 0in 5.4pt; height: 48px;" valign="top">
Independently secure your bank accounts to prevent further misuse
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; padding: 0in 5.4pt; height: 48px;" valign="top">
For example, disable system users, implement payment exception approval process, etc
</td>
</tr>
<tr style="height: 39px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; background: #cccccc; padding: 0in 5.4pt; height: 39px;" valign="top">
Alert any other banks you may hold accounts with
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; background: #cccccc; padding: 0in 5.4pt; height: 39px;" valign="top">
In case fraudsters attack other bank accounts
</td>
</tr>
<tr style="height: 43px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; padding: 0in 5.4pt; height: 43px;" valign="top">
Send an internal alert to increase awareness and vigilance
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; padding: 0in 5.4pt; height: 43px;" valign="top">
In case of further contact/attempts, unless there is a concern of internal compromise
</td>
</tr>
<tr style="height: 48px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; background: #cccccc; padding: 0in 5.4pt; height: 48px;" valign="top">
Retain and hold any potential evidence for investigation
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; background: #cccccc; padding: 0in 5.4pt; height: 48px;" valign="top">
Examples of evidence include email correspondence, audio logs, desktop PCs
</td>
</tr>
<tr style="height: 67px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; padding: 0in 5.4pt; height: 67px;" valign="top">
Consider appointing legal counsel, forensic consultants or private investigators to represent/assist you if necessary
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; padding: 0in 5.4pt; height: 67px;" valign="top">
Some jurisdictions can be more difficult to navigate than others
</td>
</tr>
<tr style="height: 64px;">
<td style="width: 50%; border-right: 1pt solid #666666; border-bottom: 1pt solid #666666; border-left: 1pt solid #666666; border-image: initial; border-top: none; background: #cccccc; padding: 0in 5.4pt; height: 64px;" valign="top">
With your legal advisers&rsquo; direction, question employees carefully to seek verification of their activity and keep written records of responses.
</td>
<td style="width: 50%; border-top: none; border-left: none; border-bottom: 1pt solid #666666; border-right: 1pt solid #666666; background: #cccccc; padding: 0in 5.4pt; height: 64px;" valign="top">
Ensure your employee&rsquo;s recollection of events is accurate
</td>
</tr>
</tbody>
</table>

Advice on steps to take in the event of suspected or actual fraud involving bank payments.

What to Do in the Event of Fraud

Guidance on How to Combat Fraud Warning Signs For email, letter and phone How do you know the email, letter or call you received requesting information or instructing a transaction is not fraudulent? Fraudsters exploit human psychology and other social engineering tactics in an attempt to commit fraud. Be vigilant: recognizing signs of fraud is the most effective way to combat it. Do’s and Don’ts For devices (smartphones, tablets, laptops and pcs) You may need to involve your IT department to effectively adopt these recommendations. This may require that you undergo a risk assessment in compliance with your IT department’s controls and evaluations. Risks and Controls For beneficiary change requests Recognizing the problem is the key to applying best practice solutions. These tips — when applied alongside your own internal control processes — will mitigate the risk involved in changing beneficiary’s payment details.

<h4>Guidance on How to Combat Fraud</h4>
&nbsp;
Warning Signs
&nbsp;
For email, letter and phone
How do you know the email, letter or call you received requesting
information or instructing a transaction is not fraudulent? Fraudsters
exploit human psychology and other social engineering tactics in an
attempt to commit fraud. Be vigilant: recognizing signs of fraud is the
most effective way to combat it.
&nbsp;
Do&rsquo;s and Don&rsquo;ts
&nbsp;
For devices (smartphones, tablets, laptops and pcs)
<div>
You may need to involve your IT department to effectively adopt these
recommendations. This may require that you undergo a risk assessment
in compliance with your IT department&rsquo;s controls and evaluations.
&nbsp;
<div>
Risks and Controls
&nbsp;
For beneficiary change requests
Recognizing the problem is the key to applying best practice solutions.
These tips &mdash; when applied alongside your own internal control
processes &mdash; will mitigate the risk involved in changing beneficiary&rsquo;s
payment details.
&nbsp;
</div>
</div>

Fraudsters exploit human psychology and other social engineering tactics in an attempt to commit fraud. Be vigilant: recognizing signs of fraud is the most effective way to combat it.

How to Combat Fraud

BEC Infographics

Look-alike and hacked emails are helping fraudsters steal billions of dollars. While awareness is growing, the scams are also evolving and there are a few common misconceptions that are leaving businesses vulnerable. For the last five years, companies around the world have been suffering from a fraud scheme known as a Business Email Compromise (BEC). The scam sees a cybercriminal pose as a known business contact and send a forged email requesting their victim to make a payment to a new beneficiary. While the attacks may sound simplistic, more than $12.5 billion in fraud losses have been attributed to this type of fraud globally,[i] making BEC the most lucrative form of cybercrime seen to date. During a typical BEC attack, a cybercriminal will use a hacked or look-alike email account to impersonate an Executive within your company or one of your existing suppliers. Before they send the email, the attacker will spend many months studying your business, so the timing, content and tone of the message will often appear normal. Because these types of attacks have been around for a few years, awareness of the scam has increased, and businesses have started to strengthen their defences. But as businesses have evolved, the scam has too, and fraudsters are changing their tactics to try to avoid detection. Here are three of the most common misconceptions about BEC, which are based upon earlier versions of the scam: Executive impersonation is the primary risk During the early years, most BEC cases involved the attacker impersonating a CEO, CFO or another internal Executive. While this threat has not completely gone away, the overwhelming majority of BEC cases now see the attacker pose as one of your existing suppliers. As you already make regular payments to your vendors, the attacker no longer has to convince their victim of the need for the payment, they simply need to create a good reason for the payment to be sent to a new bank account. The emails will be unsolicited and easy to spot Many people assume that a BEC attempt will arrive via a new email request, much like cold calling over the telephone. While this may previously have been true, the attackers now try to intercept and manipulate an existing email conversation, rather than initiating a fresh request. In the supply chain scenario, the attackers will hijack an email about an existing order (regularly after the down-payment has already been made) and then ask that their payment details be updated. The attackers will try to avoid prolonged dialogue In the Executive scenario, the fraudsters would often send a single payment request, together with a reason why they couldn’t be contacted – such as being in an important meeting or about to board a flight. These standalone (and normally ad-hoc) requests often looked suspicious and so the fraudsters have started to refine their approach. It is now common to see numerous emails between the fraudster and victim, which are designed to build rapport, develop the cover story and even create the opportunity for a second or third attempt. In the supplier scenario, we have even seen cases where the fraudster is having simultaneous conversations with both the supplier and buyer (in both cases impersonating the other party), which allows them to gather additional information, answer any questions and improve the credibility of the request. While the attacks have continued to evolve, the most effective controls to combat BEC have remained consistent. If you want to protect your business, there are three simple steps which will help reduce your susceptibility to an attack: Call Backs - If you ever receive an email requesting a payment to be sent to a new beneficiary, pick up the telephone and call the sender back to confirm the request. It’s important to use a previously known telephone number, rather than using any numbers that are given in the body/signature of the email. Dual Approval - Whenever you need to add a new payee, or change existing payment details, configure your systems to require an approver/checker. An extra set of eyes significantly improves your chances of spotting anything untoward. Training - Ensure your staff is aware of risk. Most people have naturally good instincts, but need to understand what BEC is, before they are able to look out for it. If you suspect you have fallen victim to BEC, contact your Citi Service Representative as quickly as possible so we can help to protect your account and attempt to recover any lost funds. Your security is our priority. Click here to see an infographic about BEC

Look-alike and hacked emails are helping fraudsters steal billions of dollars. While awareness is growing, the scams are also evolving and there are a few common misconceptions that are leaving businesses vulnerable. 
For the last five years, companies around the world have been suffering from a fraud scheme known as a Business Email Compromise (BEC). The scam sees a cybercriminal pose as a known business contact and send a forged email requesting their victim to make a payment to a new beneficiary. While the attacks may sound simplistic, more than $12.5 billion in fraud losses have been attributed to this type of fraud globally,[i] making BEC the most lucrative form of cybercrime seen to date.
 During a typical BEC attack, a cybercriminal will use a hacked or look-alike email account to impersonate an Executive within your company or one of your existing suppliers. Before they send the email, the attacker will spend many months studying your business, so the timing, content and tone of the message will often appear normal.
 Because these types of attacks have been around for a few years, awareness of the scam has increased, and businesses have started to strengthen their defences. But as businesses have evolved, the scam has too, and fraudsters are changing their tactics to try to avoid detection. Here are three of the most common misconceptions about BEC, which are based upon earlier versions of the scam:
<ol>
<li>Executive impersonation is the primary risk During the early years, most BEC cases involved the attacker impersonating a CEO, CFO or another internal Executive. While this threat has not completely gone away, the overwhelming majority of BEC cases now see the attacker pose as one of your existing suppliers. As you already make regular payments to your vendors, the attacker no longer has to convince their victim of the need for the payment, they simply need to create a good reason for the payment to be sent to a new bank account.</li>
<li>The emails will be unsolicited and easy to spot Many people assume that a BEC attempt will arrive via a new email request, much like cold calling over the telephone. While this may previously have been true, the attackers now try to intercept and manipulate an existing email conversation, rather than initiating a fresh request. In the supply chain scenario, the attackers will hijack an email about an existing order (regularly after the down-payment has already been made) and then ask that their payment details be updated. </li>
<li>The attackers will try to avoid prolonged dialogue In the Executive scenario, the fraudsters would often send a single payment request, together with a reason why they couldn&rsquo;t be contacted &ndash; such as being in an important meeting or about to board a flight. These standalone (and normally ad-hoc) requests often looked suspicious and so the fraudsters have started to refine their approach. It is now common to see numerous emails between the fraudster and victim, which are designed to build rapport, develop the cover story and even create the opportunity for a second or third attempt. In the supplier scenario, we have even seen cases where the fraudster is having simultaneous conversations with both the supplier and buyer (in both cases impersonating the other party), which allows them to gather additional information, answer any questions and improve the credibility of the request.</li>
</ol>
<blockquote>
While the attacks have continued to evolve, the most effective controls to combat BEC have remained consistent. If you want to protect your business, there are three simple steps which will help reduce your susceptibility to an attack:
</blockquote>
<ol>
<li>
Call Backs - If you ever receive an email requesting a payment to be sent to a new beneficiary, pick up the telephone and call the sender back to confirm the request. It&rsquo;s important to use a previously known telephone number, rather than using any numbers that are given in the body/signature of the email.
</li>
<li>Dual Approval - Whenever you need to add a new payee, or change existing payment details, configure your systems to require an approver/checker. An extra set of eyes significantly improves your chances of spotting anything untoward.</li>
<li>
Training - Ensure your staff is aware of risk. Most people have naturally good instincts, but need to understand what BEC is, before they are able to look out for it.
</li>
</ol>
 If you suspect you have fallen victim to BEC, contact your Citi Service Representative as quickly as possible so we can help to protect your account and attempt to recover any lost funds. Your security is our priority.
<a style="box-sizing: border-box; text-decoration-line: underline; background- font-size: 20px; text-align: left;" href="https://www.citibank.com/commercialbank/solutions/fraud-prevention/assets/pdf/bec-infographic.pdf" target="_blank" rel="noopener">Click here to see an infographic about BEC</a> 
&nbsp;

Awareness of Business Email Compromise is growing, but the scams are also evolving, leaving businesses vulnerable to attack. Learn more about some of the common misconceptions.

The Evolving Threat of Email Scams

Dual Approval is one of the most important online controls, yet the concept remains foreign to many businesses. This article helps demystify the topic and provides a short explanation of what it is and how it can help protect your company What is Dual Approval? As the name implies, Dual Approval is a control that requires two separate people to authorize a transaction. The first person is responsible for creating the request (known as the maker), while the second person checks and approves the activity (known as the checker). Why is Dual Approval important? Humans are not perfect. It does not matter how clever, trusted or trained we are, sooner or later everybody will make a mistake. A maker-checker process introduces a second pair of eyes and helps spot things that appear suspicious, strange or incorrect. Dual Approval clearly helps protect your business, but it also helps protect your employees from making unintended errors or deviating from process. How does it work? Dual Approval is quick and easy to set up, and it is offered at no additional cost on all of Citi Commercial Bank’s online platforms. The functionality is fully customizable, giving you the ability to configure the process flow, approvers and approval limits to meet the individual needs of your business. Once Dual Approval has been enabled, any eligible transactions will be transferred to a pre-selected pool of checkers for authorization. The process is fast, secure and robust and the approver simply verifies the request on an independent device (desktop, tablet or phone) and releases the transaction.

<h4>Dual Approval is one of the most important online controls, yet the concept remains foreign to many businesses. This article helps demystify the topic and provides a short explanation of what it is and how it can help protect your company</h4>
What is Dual Approval?
As the name implies, Dual Approval is a control that requires two separate people to authorize a transaction. The first person is responsible for creating the request (known as the maker), while the second person checks and approves the activity (known as the checker).
Why is Dual Approval important?
Humans are not perfect. It does not matter how clever, trusted or trained we are, sooner or later everybody will make a mistake. A maker-checker process introduces a second pair of eyes and helps spot things that appear suspicious, strange or incorrect. Dual Approval clearly helps protect your business, but it also helps protect your employees from making unintended &nbsp;errors or deviating from process.
How does it work?
Dual Approval is quick and easy to set up, and it is offered at no additional cost on all of Citi Commercial Bank&rsquo;s online platforms. The functionality is fully customizable, giving you the ability to configure the process flow, approvers and approval limits to meet the individual needs of your business. Once Dual Approval has been enabled, any eligible transactions will be transferred to a pre-selected pool of checkers for authorization. The process is fast, secure and robust and the approver simply verifies the request on an independent device (desktop, tablet or phone) and releases the transaction.
&nbsp;

Dual Approval is one of the most important online controls, yet the concept remains foreign to many businesses. Learn more about why it matters.

Why Dual Approval Matters

Watch a short and informative video about how to protect your business from Business Email Compromise. 

Business Email Compromise Video

Lookalike and hacked emails are helping fraudsters steal billions. Here’s how to fight them. Law enforcement agencies around the world have been investigating a scheme known as a Business Email Compromise (BEC). BEC is a scam that cyber criminals use to steal money from businesses or wealthy individuals using wire-transfer payments. Since 2013, more than $3 billion in fraud losses have been attributed to this type of fraud globally, making it the most lucrative form of cybercrime to date.[i] So how does a BEC work? In BEC scams, cybercriminals generally use social media sites — and particularly professional networking sites — as a tool to identify employees who have access to banking, financial or sensitive employee data. They then trick the employees into performing wire-transfers by sending them an email request that appears to come from an executive, such as a Chief Executive Officer or Chief Financial Officer. They try to make these emails appear legitimate so the employees perform the fund transfers to criminal accounts before they are identified as fraudulent. In some cases, cybercriminals have even hacked into the real email accounts of executives or other high-ranking businesspersons to send these illegitimate transfer requests. Despite recent media coverage on this fraud scheme, and a sobering alert from the U.S. Federal Bureau of Investigation (FBI), cyber criminals launching these attacks continue to enjoy successes as many employees are typically not accustomed to saying “no” to requests from senior leaders in their firm. In 2015, cyber thieves stole over $46 million from one company alone using the BEC technique, although law enforcement officials managed to recover approximately $8 million in this case. What might we do to protect ourselves in the face of this rising tide of BEC scams? The Cyber Security Fusion Center recommends that company leaders talk to their employees about BEC preventative and defensive measures. They advise them to be wary of emails requesting wire-transfer payments and closely scrutinize any orders deemed urgent by the sender. Whenever validity seems questionable, employees should pick up the phone to verify the transfer request. Likewise, they need to look closely for mimicked email addresses and closely review domain names (e.g. john.smith@gmail.com compared to john.smith@gmai.com). In the case of “urgent” transfer requests, companies are encouraged to consider imposing additional authentication protocols. A further precaution is reducing the number of individuals that have the authority to approve or conduct wire transfers. To restrict the number of “leads” available to BEC scammers, caution should be exercised when posting financial and personnel information to social media and company websites. If you suspect you have been targeted by a BEC, report the incident immediately to your Citi Client Relationship Manager and local law enforcement to aid in the recovery of funds. [i] https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&utm_medium=email&utm_content=28140297&_hsenc=p2ANqtz--f0buz9nDeHu9YAI5KYbMmCHIthkKaP7LIvZg0vaXQ0uUOCJWXPSxi1TSlz5gdZ_ZF9OVTPnVsL2mGryCnumjJvUj

<h4>Lookalike and hacked emails are helping fraudsters steal billions.</h4>
<h4>&nbsp;</h4>
<h4>Here&rsquo;s how to fight them.</h4>
Law enforcement agencies around the world have been investigating a scheme known as a Business Email Compromise (BEC). BEC is a scam that cyber criminals use to steal money from businesses or wealthy individuals using wire-transfer payments. Since 2013, more than $3 billion in fraud losses have been attributed to this type of fraud globally, making it the most lucrative form of cybercrime to date.[i] So how does a BEC work? In BEC scams, cybercriminals generally use social media sites &mdash; and particularly professional networking sites &mdash; as a tool to identify employees who have access to banking, financial or sensitive employee data. They then trick the employees into performing wire-transfers by sending them an email request that appears to come from an executive, such as a Chief Executive Officer or Chief Financial Officer. They try to make these emails appear legitimate so the employees perform the fund transfers to criminal accounts before they are identified as fraudulent. In some cases, cybercriminals have even hacked into the real email accounts of executives or other high-ranking businesspersons to send these illegitimate transfer requests.
Despite recent media coverage on this fraud scheme, and a sobering alert from the U.S. Federal Bureau of Investigation (FBI), cyber criminals launching these attacks continue to enjoy successes as many employees are typically not accustomed to saying &ldquo;no&rdquo; to requests from senior leaders in their firm. In 2015, cyber thieves stole over $46 million from one company alone using the BEC technique, although law enforcement officials managed to recover approximately $8 million in this case.
What might we do to protect ourselves in the face of this rising tide of BEC scams? The Cyber Security Fusion Center recommends that company leaders talk to their employees about BEC preventative and defensive measures. They advise them to be wary of emails requesting wire-transfer payments and closely scrutinize any orders deemed urgent by the sender. Whenever validity seems questionable, employees should pick up the phone to verify the transfer request. Likewise, they need to look closely for mimicked email addresses and closely review domain names (e.g. john.smith@gmail.com compared to john.smith@gmai.com).
In the case of &ldquo;urgent&rdquo; transfer requests, companies are encouraged to consider imposing additional authentication protocols. A further precaution is reducing the number of individuals that have the authority to approve or conduct wire transfers. To restrict the number of &ldquo;leads&rdquo; available to BEC scammers, caution should be exercised when posting financial and personnel information to social media and company websites.
If you suspect you have been targeted by a BEC, report the incident immediately to your Citi Client Relationship Manager and local law enforcement to aid in the recovery of funds.
&nbsp;
[i] <a href="https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&amp;utm_">https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&amp;utm_medium=email&amp;utm_content=28140297&amp;_hsenc=p2ANqtz--f0buz9nDeHu9YAI5KYbMmCHIthkKaP7LIvZg0vaXQ0uUOCJWXPSxi1TSlz5g</a><a href="https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&amp;utm_" target="_blank" rel="noopener">dZ_ZF9OVTPnVsL2mGryCnumjJvUj</a>

Lookalike and hacked emails are helping fraudsters steal billions. Here’s how to fight them.

Stay Ahead of the Email Scammers

Passwords have become an integral part of our lives, whether logging into work stations, online banking, personal email, oreven our phones. Password strength is an important component in protecting against fraud, but a frightening number of online users are still using predictable passwords. Common Passwords Data breaches are now a regular news story, which prompted SplashData to analyze over 5 million passwords that were leaked online during 2018. Their research showed that the following 25 passwords were the most commonly used; each of which could be cracked by a fraudster in a matter of seconds:

<h4>Passwords have become an integral part of our lives, whether logging into work stations, online banking, personal email, oreven our phones. Password strength is an important component in protecting against fraud, but a frightening number of online users are still using predictable passwords.</h4>
 Common Passwords
Data breaches are now a regular news story, which prompted SplashData to analyze over 5 million passwords that were leaked online during 2018. Their research showed that the following 25 passwords were the most commonly used; each of which could be cracked by a fraudster in a matter of seconds:

Password strength is an important component in protecting against fraud, but a frightening number of online users are still using predictable passwords.

Creating Strong Passwords

As digital technology continues to transform the world around us, fraudsters are becoming braver, more creative and increasingly sophisticated. At Citi, we understand the challenges you face and passionate about helping protect your business. Citi Commercial Bank has created procedures to help prevent, detect, respond to, and recover from all types of fraud attacks. Through a culture of collaboration, we fuse intelligence from a variety of sources to deter attacks, reduce risk, and foster effective decision-making.

As digital technology continues to transform the world around us, fraudsters are becoming braver, more creative and increasingly sophisticated. At Citi, we understand the challenges you face and passionate about helping protect your business. Citi Commercial Bank has created procedures to help prevent, detect, respond to, and recover from all types of fraud attacks. Through a culture of collaboration, we fuse intelligence from a variety of sources to deter attacks, reduce risk, and foster effective decision-making.

prevent, detect, respond to, and recover from all types of fraud attacks

Fraud Prevention

Commercial Bank

Banking & International

Banking, Capital Markets & Advisory

Securities Services

Citi Global Perspectives & Solutions

Global Insights

Leadership

Private Bank

Treasury & Trade Solutions

Markets

Issuer Services

Citi Digital Assets

Citi Research

Wealth

Services

Column 1

Column 2

About Us

Programs

Knowledge Center

Apply for Funding

Column 3

Column 4

Column 5

Links

Footer

Citi Foundation

Businesses

Our Impact

News

Insights

Investors

Careers

My Account

Para Sport

Emergency

Disclosures

Privacy Notices

Hidden

Citi Gpa

Europe, Middle East and Africa

North America

Latin America

Asia Pacific

Social Welfare Funds

Development Organizations

SOEs

Multilateral Development Bank

Central Banks

Central Governments

Ministry of Finance

Local Governments

Ministry of Foreign Affairs

Regional Development Bank

FinTech

iBuyers

Mortgage

Origination

PropTech

Real Estate

Single-Family Rental

Data

GDPR

Privacy

Regulsyion

Auto

Demand

Food

Industrial

Metals

Russia

Shortage

Supply

Supply Chain

Tariff

Ukraine

Asteroids

Imagery

Logistics

Mining

Moon

Rockets

Satellites

Space

Space-Based Solar Power

Aware

Do No Harm

Impact

Investing

Monitoring

Risk

Sustainability

Taxonomies

Augmented Reality

Cryptocurrency

dApps

DeFi

Metaverse

Money

Virtual Reality

VR/AR

Auction

Disruption

Money Laundering

Online

Regulation

Virtual

Entrepreneur

Equal Opportunity

Equality

Global Growth

Innovation

Venture Capital

Women

Women Entrepreneurs

Education

Eliminating Poverty

Health

Multidimensional Index

Poverty

Standard of Living

Sustainability-Linked Bond

UN SDG

Inflation

Just in Case

Just in Time

Production

Transportation

Charity

Donations

Multiplier

Philanthropy

Service

Technology

Growth & Prosperity

Risk & Resilience

Sustainability & Society

Technology & Innovation

Health & Wellness

Citi Blog

Press Release

Citi Global Insights

Business Services

Consumer Products & Retail

Digital

Healthcare

Industrials

Tech Hardware

Regulatory

General Information

Product Marketing

Global Markets and Economy

Business Strategies

Diversity, Equity, and Inclusion

Community Impact

Wealth Management

Retail Banking

Wealth Publications

Newsletter

qa test 1016-1

stephen-1111

ICG Insight Detail Template

As our premier thought leadership product, Citi Global Perspectives & Solutions (Citi GPS) is designed to help our clients navigate the global economy’s most demanding challenges, identify future themes and trends, and prosper in a fast-changing and interconnected world. 

Keep Exploring CITI GPS Content

Keep up to date with our latest insights.

Subscribe to Citi GPS

This is what fraud looks like

Best practice advice:

UP NEXT

Fraud Prevention

Business Email Compromise Video

Creating Strong Passwords

Sign up to receive the latest from Citi.