Cybersecurity Alert: Recent Increase in Wire Transfer Fraud
By Craig S. Horbus & Hanne-Lore M. Gambrell on October 4, 2019
In recent years, there has been a significant increase in wire fraud attempts against law firms, their clients, and opposing parties. While there is some variation, the common scheme of this type of scam is the same when a real estate deal, corporate transaction, or litigation settlement concludes and funds are about to be wired, hackers insert themselves in the flow of communications, usually via email, providing fake and/or “updated” wire instructions that result in funds being wired to hackers rather than the intended recipient. The scam has become so sophisticated, that hackers are now able to send fraudulent wire instruction from the actual email account of one of the parties of the deal or the settlement resembling genuine wiring instructions in all respects.
Wire transfer fraud has become so prevalent that the FBI recently issued a public service announcement. In the announcement, the FBI warned that this type of scam “continues to grow and evolve,” targeting small, medium, and large business and personal transactions. Additionally, using data from the FBI’s Internet Crime Complaint Center, the FBI reported that between December 2016 and May 2018 there was a 136% increase in identified global exposed losses due to wire transfer fraud, to approximately $12.53 billion. (“Exposed losses” includes both actual and attempted dollar losses.)
Because these scams show no sign of slowing down, the attorneys at Brouse McDowell have compiled the following tips to avoid falling prey to wire transfer fraud:
- Be aware and suspicious of last-minute changes to wire instructions. The same is true for last-minute emails seeking to accelerate the timing of wire transfers. Last-minute changes and “time is of the essence” emails regarding wire transfers should be treated as red flags and dealt with cautiously.
- Incorporate a mandatory two-factor authorization, by calling a known telephone number as a step for every wire transfer. When hackers provide their new, fraudulent wiring instructions via email, they will often include a new phone number for subsequent confirmation. Therefore, wiring instructions should only be confirmed to a known number with a known party; do not rely on or use phone numbers included in any email that provides changed wiring instructions. Additionally, always make an outgoing call to a known number, as hackers have been known to email changed wiring instructions and then call, posing as one of the deal parties.
- Be sure to obtain and verify contact information from all parties at the beginning of a transaction, and use only those verified emails, phone numbers, and addresses.
- Transmit wire instructions for a transaction up front, preferably in a verbal or written (non-email) communication, and agree to a protocol for any changes to the instructions. Attorneys should consider addressing wiring instructions in engagement letters for each transaction, including instructions that clients should call the attorney’s office before initiating a wire transfer to any other account.
- Consider employing a verbally agreed upon change code or password to be used whenever there is a change in wiring information with the other parties involved in the transaction.
The attorneys at Brouse McDowell cannot stress how important it is for our clients to maintain best practices when it comes to data privacy and cybersecurity. Brouse McDowell is here to help our clients navigate these tricky waters. Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery, and response). Contact us for more information.