M3’s Milwaukee Office Has Moved

Avoid Falling Victim to Wire Transfer Fraud Scams

Construction & Real Estate, Cyber

This article was written in collaboration with :

  • Sarah Sargent, Data Security and Privacy Attorney, CIPP/US, CIPP/E, CIPM
  • Zachary Willenbrink, Litigation, Data Security and Privacy Attorney, CIPP/US, CIPM, (ISC)2 CC

It seems like a nightmare… You get an email from a material supplier: “Where’s that $500,000 payment on last month’s invoice?” You swear you already paid it. So, you look back at your ledger and—sure enough—you see it: you did already make the payment; you wired it three weeks ago. You write back and let the supplier know. Two minutes later the reply hits your inbox: “You may have wired it out, but we didn’t get it.”

If it’s not in your business’s account and it’s not in your supplier’s, where did the money go? The most likely answer: a scammer’s offshore bank accounts. Your business probably fell victim to a funds transfer fraud or misdirected payment scheme, a type of cyber-attack that is growing more prevalent by the day. (How prevalent? Prevalent enough that Bloomberg reported TikTok influencers called “scam rappers” are posting instructions for how to do this and other scams, all set to music.)

In this type of scheme, a scammer convinces an employee or business into sending money—often for a legitimate reason—to the wrong place. How? Typically, “phishing.” Most often, the scammer learns that a business will be making a payment and some details about it. Sometimes, the attacker accomplishes this through high-tech means like hacking the intended recipient’s email (a so-called business email compromise or BEC scheme); sometimes, they use lower-tech ones, such as hearing sensitive information from a loose-lipped employee or in public records.

Once the scammer knows that information, they pretend to be the intended recipient. This is pretty easy if they’ve compromised the intended recipient’s email; they can email the target business directly from the intended recipient’s account and set up mailbox rules or monitor the email account to make sure the employee never realizes their account was hacked. And, even without a compromised account, a scammer can still make it seem like they’re the intended recipient.

Returning to the example that started this post, perhaps your account manager typically works with your supplier’s account manager Jane to coordinate payments. Jane’s email address is “janedoe@yourbestsupplier.com.” The scammer might set up an email address meant to look similar (often referred to as typo squatting). Maybe they use “janedoeyourbestsupplier@gmail.com” or “janedoe@yourbestsupplier.corn” or “janedoe@yourbestsuppiier.com.” The last two in particular may be hard to spot. (If you didn’t catch it, the second is a “.corn” domain and the third replaces a lowercase “L” with a lowercase “I”—both minor differences that are even harder to spot in tiny, lowercase font.)

When the account manager believes that they’re emailing with the real Jane Doe and not some scammer, the scammer takes the final step, asking that payment be wired to their “new”—in reality fraudulent—bank account … and preferably today! Once the money hits the scammer’s account, the scammer scatters it to other accounts, which then may scatter the money further. So, when your business figures out what happened, it’s practically impossible to reverse the original wire transfer.

How do you avoid this nightmare scenario? And what do you do if it happens to you? We offer a few suggestions.

How to Avoid Falling Victim

Your business can take the following steps to better protect itself from wire transfer fraud scams:

  1. Create an “outside channel” verification policy. This means that your business won’t take a single payment-change request at face value. Or, to be extra cautious, you could require this for every single wire your business sends out. Either way, this policy will require any request to be verified separately by an employee, using some different method of communication. For example, did the change request come in through email? Then your account manager should find Jane Doe’s phone number in their contacts list and call her back to verify that, yes indeed your supplier does have a new account it’s using. The key here is for your employee to verify the request using information that it separately knows to be correct.
  2. Reach agreements with your business partners. Talk to folks at any business you wire money to or receive wires from. Decide on ways to work together to avoid these schemes. Ask your partners to turn on multifactor authentication to reduce the chance their email accounts will be compromised. (And, while you’re at it, make sure you’ve turned it on, too.) Request or inform them that additional verification should be used to verify any payment instruction change. Agree, by contract, on who has the responsibility to avoid these schemes and who’s financially liable if you fall victim.
  3. Divide employee duties and require a double-check. Don’t make a single person responsible for all aspects of making payments. For instance, if your account manager receives and approves payment of invoices, give someone else the responsibility for actually initiating the wire transfer. And make it clear that both employees (or, better yet, someone else entirely) have to confirm that the instructions are coming from a legitimate source.
  4. Educate your employees. No two scams are exactly alike, but there are some telltale signs that an email is fraudulent. Anything that seems “off” should raise a red flag. We’ve come up with four categories—with the helpful acronym T.R.U.E.—that are some of the most common indicators of scam emails.
  • Tone. Does the email use strange words or phrases? Are its sentences tough to understand? Does it not “sound” like the person you typically email with? Does its greeting seem off?
  • Requester. Look closely. Who is actually making this request? What is their email address? What about the domain? Have you actually emailed with this account before?
  • Urgency. Does the email want a wire to be made immediately? Does it threaten that something bad will happen? Did the email come in at a strange time—maybe 3:30 a.m., when it’s business hours in other parts of the world? Basically, if the email is telling you to hurry up, it’s a red flag that you should slow down.
  • Errors. Are there misspellings or grammar mistakes? Did the font change between emails or even within one?
  1. Make sure your cyber insurance policy provides coverage. Not every policy will cover wire transfer fraud schemes. So talk with your broker to make sure yours does, particularly if your business routinely sends or receives wire!

    What to Do If the Wire Has Already Been Made

    In the worst-case scenario that the wire has already been made—which might happen even if you take every precautionary step imaginable—you can still proactively try to limit the damage. How? Here are a few suggestions:

    1. Call your insurance broker. Alert your broker of the incident so preliminary steps can be taken in the claims process.
    2. Call an attorney. Unfortunately, it’s very likely that a fraudulent wire transfer will lead to a dispute over who is responsible. That’s the reality when the money ends up in the “bad actor’s” hands, with the sender and intended recipient both left empty-handed. The sender often tries to pin the blame on the intended recipient, and vice-versa. It’s difficult to say who is right without knowing the precise circumstances of a given transfer. And, even then, there are often shades of gray with both parties having some responsibility. An attorney experienced in this type of data dispute can help you understand your options, make good decisions, and ultimately untangle the mess the fraudster created, putting you in the best possible position.
    3. Call your bank and the recipient bank. All might not be lost. Sometimes banks are able to “undo” a transaction and, fortunately, we’ve occasionally seen it be successful l… though not often enough that you should rely on it. (An attorney can often be helpful in this process, too, as you navigate what to disclose to the banks and complying with any requests the banks may have of you.)
    4. Call law enforcement. Law enforcement—particularly the FBI and Secret Service—have also been successful in recovering misdirected funds if the misdirected payment is reported with 48 hours of the transfer occurring … though, again, not often enough to expect it. Both the sender and intended recipient in a fraudulent wire transfer scheme are victims, and our experience with law enforcement officers is that they understand that and do everything in their power to fix what they can. (Though, again, retaining an attorney to guide you through the reporting process can be a good idea.)

    M3 Insurance is available if you have any questions regarding your insurance coverage related to misdirected payments. If you have any questions on how to best prevent or resolve a misdirected payment issue, Godfrey & Kahn’s attorneys are ready to assist.

    28490512.1

    Information contained herein is based on a summary of legal principles. It is not to be construed as legal advice and does not create an attorney-client relationship. Individuals should consult with legal counsel before taking any action based on these principles to ensure their applicability in a given situation. 

    Back to Insight Center

    Related Content

    Cybersecurity Board Room
    Article

    Cybersecurity in the Board Room
    Cybercrime Pino-Gallagher
    News/Media Podcast

    Pino-Gallagher Shares Cybersecurity Tips for Agribusinesses: Mid-West Farm Report
    InsurSec Podcast with Thomson
    Podcast

    Thomson Featured in InsurSec Podcast: Cyber Liability
    Bush State Bar of Wisconsin Insurance article
    News/Media

    Bush Featured in State Bar of WI: Insurance Coverage for Downstream Contractors and Suppliers