Wire Transfer Fraud – yea, it’ll never happen to me. That’s what too many business owners and leaders think, and that’s exactly what cybercriminals want you to think.
In this video and post, I’m going to talk about what wire transfer fraud is, how to prevent it, and how cyber insurance can help remediate claims should they occur.
Okay, let’s start with answering the question, what is wire transfer fraud?
Wire transfer fraud is when a cybercriminal or scammer tricks you or a member of your firm to transfer funds to them by posing as a vendor or client of yours. These scams usually take place over email and are never verified by the business owner or decision-maker.
Here’s a common example we have seen several times.
The CFO, bookkeeper, or company accountant gets an email that appears to be from one of the company’s established vendors. The email address looks legit and it asks to please change the account information when they make their next wire transfer.
It could be at the same bank or a new bank.
We have seen this scam to be highly specific where the scammer tells the bookkeeper the specific invoice number and amount due for the next wire payment, further legitimizing the email.
How does the scammer know all that info?
Well, they may have infiltrated the email system of the company or their vendor’s email system and have been watching the email traffic back and forth so they’re able to use exact invoice numbers and amounts and like I said only further reinforce their ruse.
There are other scams like the President of the company emailing the CFO to wire funds to them urgently so he or she can execute an M&A transaction before a deal falls through.
When in fact, the President hasn’t requested any funds and there is no deal on the table. Unfortunately, the funds are transferred to a fraudulent account and gone.
What’s the bank’s responsibility in situations like these?
Unfortunately, your bank has no responsibility in these scams because you or a member of your firm has voluntarily parted with the money –
Yes, it’s a scam, but no one put a gun to your head demanding your money.
They voluntarily sent money to a third party without verifying the authenticity of that third party – that’s on you and not your financial institution.
Are fraudulent funds recoverable?
In most cases that I’m aware of or have seen, no. Once the funds are wired into the fraudulent account they are withdrawn and the account is closed and the funds are gone for good.
What’s the solution? How do you manage this risk?
It’s really not that difficult, but you need to have controls in place and control is nothing more than a written procedure that isn’t deviated from, for any reason.
What do we recommend as a written control?
Before exchanging account numbers or amending/changing account numbers with any vendor a phone call must be made to that vendor or other party you’re sending funds to, to authenticate them.
The first step is to authenticate that the phone number is correct and is the number for the party with whom you’re doing business.
As a backup safety step, have another person in your company cross-verify the information as well and perform the authentication a second time.
Special note: when you have a wire request from a foreign vendor – really scrutinize the request as these carry higher risks than domestic vendors.
If there is an urgent request from someone within your company to wire funds a few simple steps help control this risk:
First, verify the email address of the sender that’s requesting the wire. For example, if the president of the firm has an urgent need for funds – carefully look at the email address.
Hackers will often replicate a URL or email address by replacing a letter or digit. For example, [email protected] could become [email protected] or [email protected] or any number of different variations.
The second step, call the originator of the request (i.e. the president) and not execute a wire until confirmed by phone or in person.
While verifying the authenticity of the sender, also verify the account numbers.
Hackers, scammers, and posers are relying on the fact that everyone is busy and wants to accommodate the instructions of an executive or company owner so don’t fall victim to these ploys.
How does insurance come into play in these scams?
Most cyber insurance policies include coverage for wire transfer fraud – but limit this coverage to $250,000 in most policies.
Something you need to know is that almost all insurers require a secondary authentication procedure I just mentioned.
If you fail to follow that procedure and you fall victim to wire transfer fraud the claim may be denied, so it is critical to have control and follow it – always.
Wire Transfer Fraud is also available on a commercial crime policy and can usually be purchased at higher limits than a cyber policy –
But again underwriters are really honing in on controls before offering high-limit protection from wire transfer fraud.
Here’s the bottom line
Wire Transfer Frauds and schemes are widespread – it is the fastest and easiest way for cyber criminals to score huge sums of money from unsuspecting businesses.
Don’t fall victim to it. Set up a control, educate your employees, talk about it often – as you should be with other cyber risks like phishing, and continue to reinforce the need to control the risk company-wide.
Have other questions on cyber risk and cyber insurance I didn’t cover here? Give me a call, or drop me an email.