International money transfer company, US-based Western Union, has been obliged to pay a further $40 million on top of a previous $365 million payout to defrauded customers. As many customers were the victims of phishing attacks in which Western Union had already admitted some of its staff were complicit, the payouts highlight the growing “insider threat” now facing multinational corporations.
The current payouts follow from Western Union already having admitted to criminal violations, including failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud. At the start of 2017, Western Union cut a deal in exchange for deferred prosecution for an agreed settlement of $586 million with the Foreign Trade Commission and the Justice Department to fully reimburse victims for multiple frauds. The Justice Department continues to accept petitions for remission from fraud victims and said it anticipates authorizing further payouts in the coming months.
The frauds in question included “sweepstake scams,” where victims were told they had won a large cash prize but needed to pay a fee to claim it, and “grandparent scams,” where fraudsters impersonated a family member in urgent money wired to them to avoid personal harm. Western Union also agreed to implement an anti-fraud program and enhanced compliance obligations in agreements with federal authorities.
Human beings are generally the weakest links
Although the various scams against Western Union customers may have been initially perpetrated by cybercriminals outside the company, the money transfer corporation has admitted that some of its staff may have been complicit in defrauding customers. As the cybersecurity sector becomes more effective at protecting its clients against hackers, the hackers have pivoted to other, under-protected entry points in their target company’s IT system.
The cybercriminal gangs soon concluded that human beings are generally the weakest links in any large and relatively faceless corporation. For example, a criminal platform called Industrial Spy launched last year that advertised itself as offering disgruntled or dishonest employees the opportunity to “earn millions of dollars using insider information.” Individual staff who are approached by cybercriminals may be easily tempted by cash.
This type of attack can be notoriously hard to defend against, and many companies have been defrauded in this way despite doing their utmost to secure their systems. But the Justice Department believes Western Union to be partly culpable in this case and has also alleged that “certain owners, operators or employees” at Western Union were complicit in the crimes and that Western Union “aided and abetted” the scams by failing to suspend or sack the staff involved.
“Western Union, the largest money service business in the world, has admitted to a flawed corporate culture that failed to provide a checks and balances approach to combat criminal practices…Western Union’s failure to implement proper controls and discipline agents that violated compliance policies enabled the proliferation of illegal gambling, money laundering, and fraud-related schemes,” said US Attorney Wifredo A. Ferrer of the Southern District of Florida.
