Cyberattack and the Risk to Wire Transfers

October is Cybersecurity Awareness Month, the perfect time to provide some common-sense tips to avoid a common risk facing businesses: business email compromise and wire fraud. Businesses of all shapes and sizes use email, and those accounts are susceptible to attempts to trick employees into providing sensitive information or sending money.

The perpetrators of business email compromise scams send authentic-looking messages and use a sense of urgency to trick an employee into acting quickly without verifying the sender’s identity. With respect to wire fraud, bad actors have made a business of hacking into corporate email systems, perpetrating the “man in the middle attack” whereby the bad actor jumps into a conversation between individuals communicating by email. Often, this conversation involves discussion of a scheduled transaction, and the bad actor modifies wire instructions so the payment, which may be substantial, ends up with the bad actor, not the intended recipient. Typically, before anyone notices the fraud, the money is long gone. These scenarios often lead to litigation, with both parties pointing the finger and both feeling wronged.  

Loss, like the above, is real and growing. In 2022, the Federal Bureau of Investigation published “Business Email Compromise and Real Estate Wire Fraud,” a report stating that “[its] Internet Crime Complaint Center (IC3) received [business email compromise] related complaints with losses exceeding $2.4 billion.” Imagine, for instance, that your business wires payment of $10,000,000 and it goes missing due to this type of scheme – businesses are frequently unable to recover misdirected wire or ACH transfers. While these losses are already substantial, changes to technology, including the rise of AI deepfakes, will make detecting and avoiding business email compromise scams more challenging in the next several years.   

So, how does a business avoid a catastrophe involving wire transfers? While the below is not a comprehensive list of safeguards, we have set forth some best practices for handling wire instructions:

1. Verify instructions thoroughly.

• Confirm wire instructions orally by phone with a known and verified contact at a known and verified phone number. Do not provide any sensitive information or wire instructions in response to a received call – always dial the known number yourself.
• Never confirm wire instructions via email.

2. Use a secure communication channel and two-step verification.

• Two-step verification: This means providing partial wire instructions via encrypted secure platforms and requiring a phone call to receive the complete wire instructions.

3. Triple-check all details.

• Double-and triple-check bank names, routing numbers, SWIFT codes, account numbers and all other related wire transfer information for accuracy.

4. Watch for red flags.

• Be cautious if someone requests an urgent or last-minute change to previously provided instructions. Even a plausible-sounding email with unexpected changes should be vetted and verified.
• Scrutinize emails with poor grammar, unexplained urgency, or misspelled email addresses.

5. Conduct internal reviews.

• Separate the responsibilities for initiating, authorizing, and reviewing wire transfers within your organization.
• Document and review each transaction before submitting the wire request.

6. Confirm receipt.

• Ask the recipient to confirm via phone that they have received the funds immediately after the transfer is completed.

7. Train your team.

• Educate employees on recognizing and preventing wire fraud, phishing, and business email compromise schemes.
• Conduct periodic security awareness programs.

8. Implement cybersecurity measures.

• Keep software, firewalls, and anti-virus tools updated to prevent hacking attempts.
• Avoid conducting business, especially any access to banking portals, on unsecured public Wi-Fi networks.
• Use multi-factor authentication.
• Strengthen information security policies and procedures, including incident response plans.

By implementing safeguards, a business can reduce the risks associated with wire instructions and transfers.

This document is not intended to, nor shall it, be considered legal advice. If you have any questions, you should address the specific matter with your attorney.

Jason Hirsh is a Partner with Levenfeld Pearlstein and the Practice Group Leader of the Litigation Group. Jason’s practice involves business litigation, including litigation of wire-transfer and ACH fraud-related disputes and consulting regarding such matters. Katie Nadro is a Partner with Levenfeld Pearlstein in the Corporate Group, where she advises clients on cybersecurity, data privacy, and artificial intelligence matters.