Client Alert: Wire Transfer Fraud

Item

In late August, the Milwaukee office of Chicago Title, the largest title company in Wisconsin, came to the offices of Fox, O’Neill & Shannon, S.C. to advise them that scams by hackers were now targeting title company closings, by misdirecting wired funds from customers to offshore accounts.  Chicago Title was calling on major real estate law firms to advise them of this dire threat to closings.

Item

On September 3, 2017, a participant in a 401(k) plan for a client of FOS, had $340,000 stolen from his account, by a hacker who had gained access to the information concerning the plan.  The information included the participant’s name, social security number, home address and amount in his account.  The withdrawal used the actual forms employed by the Plan Administrator.  The President and CEO of the Plan Administrator wrote on September 22, 2017, “the entire retirement industry has been hit hard by an enormous increase in fraud attempts during the last few days and the pattern is still developing.  While we have appropriate controls to defend against such attacks, the bad actors are calling in equipped with all the information they need to get past those defenses (likely from the Equifax data breach in which detailed information of 140,000,000 Americans was stolen).”

Item

On September 25, 2017, three attorneys at FOS received a request from a Milwaukee loan officer with whom they had worked in concluding a transaction one month earlier.  The request, sent in by email, was on the email stationery of a local Milwaukee bank.  However, the attempt to obtain account information was fraudulent; the local bank, and its loan officer, had nothing to do with it.


The above examples are the tip of the iceberg of cyber fraud, particularly wire transfer fraud.  Wire transfer fraud can bankrupt you or your company. It cannot be ignored. But much of it can be prevented.

FOUR INCREASINGLY COMMON TYPES OF WIRE TRANSFER FRAUD

Scam targeting payments to vendors.

Especially in transactions involving substantial sums, customers frequently pay vendors or other creditors with whom they frequently or regularly deal via wire transfers. This scam targets these payments.

Here, hackers request wire transfers through emails or documents on letterhead which look like they are from corporate executives or business suppliers known to the recipient.

When emails are part of the scheme, the “from” email address is almost identical to that of the vendor or creditor – except that one or two letters are transposed (johnjdoe@abccompany.com, changed to johnjdoe@abbccompany.com). So a “reply” to this email goes to the hacker, not the vendor or creditor.

Often, these fake emails have “Urgent!” or “Deadline!” in the subject line, and the email suggests that the recipient is or will soon be late paying a nonexistent debt.

The recipient, believing he or it is paying an actual debt and trying to avoid nonexistent interest or penalties, wires funds to the transfer address listed in the email. Only later is the fraud discovered.

According to the FBI, in the last seven months of 2016 alone, cyber criminals tried to steal $5.3 billion through these hacks. The number of known fraud cases almost doubled from May to December of last year, from 22,143 to 40,203. These numbers will only increase in this and the next years.

Scam targeting real estate buyers.

Real estate transactions commonly involve the payment of the purchase price via wire transfers. Wire transfer instructions are provided at or prior to closing.

This scam targets these wire transfer payments.

In one example, a residential purchaser received a fraudulent email from what appeared to be the title company. The message advised the purchaser to wire transfer a $142,245 down payment to a particular bank account, presumably of the title company. The purchaser did so.

After receiving another email, again presumably from the title company, “confirming” the transfer, the purchaser went to the closing, expecting to receive title to the property and the keys to its front door. Instead, the title company asked when the down payment would be arriving. The funds had actually been transferred to the hacker’s account.

In another example, a buyer received an email, apparently from the closing attorney’s office, modifying earlier wire transfer instructions and providing “revised wiring instructions.” The buyer followed the new instructions. The funds never reached the closing attorney’s office, going instead to a hacker’s account.

Scams targeting investors.

In private placement or other public investment offerings, investors commonly make their investments via wire transfers.

The scam involving these or similar investments targets the actual investments themselves.

Investment contracts and related documents generally contain blank spaces, to be completed by the investor, for wire transfer instructions. Particularly if investment documents are transferred between the parties via email, hackers can obtain the wiring information and change that information on a document with the same template as the original.

A hacker can then pretend to be the investor and email the fraudulent instructions to the relevant bank or company. Since the fraudulent document looks to be correct, and appears to be coming from the investor, the bank or company follows the instructions. The investment never reaches the company.

Scam involving retirement accounts.

Wire transfer fraud is not limited to funds which are diverted from proper payment to third parties. Hackers are also directly stealing funds in retirement and related accounts.

Here, the target is the fund itself. The hacker accomplishes the fraud by pretending to be the account beneficiary, requesting a “distribution,” and obtaining the wire transfer of funds to the hacker’s account.

While reputable financial institutions have established security procedures for distribution requests, hackers are regularly able to obtain the answers to security questions and other information and so pass the financial institution’s tests.

The retirement accounts of several members of a client’s family, for example, were recently targeted in such a scheme. The financial institution received false emails, purportedly from family members, requesting several hundreds of thousands of dollars in distributions from the retirement accounts. The institution complied with the requests and wire transferred the funds to the hackers’ accounts.

While the clients noticed the transfers quickly and were able to recoup their money, many other victims are not so lucky.

 HOW TO PREVENT WIRE FRAUD HACKS

 If all wire transfer frauds could be prevented, thousands of individuals and companies would not have been (and continue to be) hacked out of millions upon millions of dollars.

That being said, common sense safeguards can lessen the risk that you or your company will be subject to a successful wire transfer hack. These safeguards include:

  • Go back to the old days. Confirm wire transfer instructions by telephone or, if possible, face to face. Make sure you know who is giving the instructions and that they are accurate.
  • Be especially wary of changes in wire transfer instructions and confirm them as described above. As noted in the Items that began this alert, hackers can and routinely do copy exactly the statements of reputable companies.
  • Establish a protocol, designating at least two appropriate people from your company, to confirm the accuracy of wire transfer requests or instructions.
  • Advise your vendors and financial institutions of your protocol.
  • As a part of the protocol, have at least two appropriate people designated to carefully review all wire transfer documents, including emails, letters, etc. Check carefully for any oddities, such as transposed letters in email addresses or different spacings in the supposedly identical company letters.
  • Require institutions and companies in which you have investments, including retirement accounts, to notify you by both email and telephone if they receive a request for distributions (even if you know the request came from you), and require there be a response from you (best practice, orally and by email) when funds are released. The notice should be of the distribution request and the wire transfer instructions.
  • When sending confirmatory emails, do not use “reply” (which could go back to the hacker). Instead, send a new email using the address in your files which you know is accurate.
  • Change passwords of all types regularly.
  • Use unique and strong passwords.
  • Ask your insurance agent whether cyber fraud insurance is available for you or your company.

These are not, of course, the only appropriate protective measures, either currently or for the future. As law enforcement or cyber experts thwart one hacking scheme, hackers quickly adapt and create new cyber scams. So, potential cyber victims must remain vigilant and try to be as adaptable as the hackers themselves.

 WHAT TO DO IF YOU OR YOUR COMPANY FALLS VICTIM TO WIRE TRANSFER FRAUD

 No one is perfect. Despite the best protective measures, you or your company may find yourself a victim of wire transfer fraud.

If this happens, don’t panic. Instead,

  • Notify your financial institution(s). Place a block on the affected account. Freeze or otherwise secure other appropriate accounts until you conduct a proper investigation. Change passwords, security questions/answers, wire transfer protocols and other existing security information.
  • Notify law enforcement including, if appropriate, the FBI.
  • Contact your affected vendor, purchaser, etc. to explain the situation.
  • Contact other individuals and companies with whom you at least periodically deal, advise them of the hack and potential future hacks.
  • Make a claim for reimbursement against the appropriate financial institutions.
  • Investigate your computer system, including your email system, to determine whether and to what extent one or more intrusion(s) has/have occurred.
  • Change email addresses, passwords, and other computer system components to avoid additional hacks.
  • Implement the security procedures described above.