Perhaps you’ve heard some of the following terms — hacking, spoofing, phishing, or wire transfer fraud.
“Wire transfer fraud” and “business email compromise” (“BEC”) refer to a variety of sophisticated email scams that are designed to target businesses. Commonly targeted businesses include owners, contractors and construction companies (as they handle large payments between and among themselves), brokers conducting real estate transactions (also dealing with large transactions), and attorneys (often involved with large transactions, for example settlement payments or real estate transactions).
So, if this is you, or your business handles large wire transfers … read on.
The scam works in different ways. One version has the hacker penetrate a company’s email system, usually by sending an email with an attachment or link that, if clicked, will infect the recipient’s system with malware. This is “phishing.” The hacker can then access, control and manipulate a legitimate email account. The hacker intercepts incoming emails and diverts them, so the intended recipient never receives them or is aware of them. The hacker then impersonates the employee and uses the legitimate email account and address to provide “new” wiring instructions (to a different bank account that the hacker controls). Once the funds intended to pay the company are sent to the hacker’s bank account, they quickly take or transfer the funds to another account. Once the recipient company realizes that it never actually received the funds intended for it, it is usually too late, and the funds are long gone.
A different version is when the hacker uses a fake email address that resembles a legitimate email address of the targeted company. This is “spoofing” — the email is a spoof of a valid email. The spelling may be slightly off, but at first glance looks correct. For example, the email address might use a number 1 instead of a lowercase letter “L”, which are identical for some fonts. The company on the other side of the transaction does not realize that it is not really the email of the company that is intended to receive the funds. The spoofer using the email account with the altered email address acts like the recipient company and then informs the paying company to direct the wired funds to an account that the hacker controls.
One key part of many of these cases is a failure by the company who will be paying the funds to verify the wire transfer directions. And to do so beyond the email exchanges that were the likely source of the fraudulent information. Even where the paying company has suspicion about the wire transfer instructions — because they are different from previous instructions, or are being sent to an account with an unusual name or unusual location, or the emails contain words or language that do not sound quite right — problems occur where the employee fails to pick up the phone and talk to a live human at the company it is planning to pay. In too many cases, this simple step is not taken, and the results can be disastrous.
Frequently, the result is that the defrauded company has to pay the same amount again to the company that was meant to receive the funds, but never actually received them.
In an effort to prevent being the victim of a wire fraud scam, businesses should closely consider the following:
- Ensuring that they have robust and up-to-date IT security systems in place. This should include, for example, using multi-factor authentication for email accounts; preventing any automatic forwarding of emails, especially to email addresses outside the company; and regularly monitoring the email server for changes or modifications to email accounts.
- Ensuring that their employees, especially those handling wire transfers and large financial transactions, are aware of these types of scams and how to recognize them.
- Reminding employees — on a regular basis — of the need to check and verify wire transfers by speaking with a human on the other side of the transaction. This is where a good, old-fashioned telephone call is required.
- Including language in emails that reminds those it works with that it requires verbal confirmation before it will transfer or wire funds, and that it will never ask for funds to be wired without verbal confirmation. Obviously, this only works if employees comply with the policy and insist on verbal verification for any wire transfers.
- Purchase cybercrime insurance coverage, and/or review their insurance contracts to determine what would be covered in the event of wire transfer fraud or business email compromise. In the same vein, companies can address the issue in the contracts they enter into with their clients — so all the parties know upfront who bears the risk of these kinds of fraud.
Bottom line: unlike some scams and frauds, this type of wire transfer fraud may be preventable — before wiring funds, the sender should verify and confirm the details of the wiring instructions, and do so verbally. That simple step may end up saving a business millions of dollars.
We will continue to monitor these developments, and if you have questions, please contact an attorney at Kenney & Sams.
****************
This alert is for informational purposes only and may be considered advertising. It does not constitute the rendering of legal, tax or professional advice or services. You should seek specific detailed legal advice prior to taking any definitive actions.