Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account.
Wire fraud scams often victimize two businesses – the business that expected to receive payment, and the business that thought that they had made payment. The scam can cause significant contractual disputes between the victims as to who should bear the loss. Wire fraud scams also target businesses of all sizes across sectors. There is no single industry that is targeted more than another.1
The number of businesses victimized by wire transfer fraud.2
The amount of domestic and international exposed dollar loss from October 2013 to December 2016 due to wire transfer fraud.3
Increase in identified victims and exposed loss from January 2015 to December 2016.4
Steps to help avoid wire fraud scams:
- Avoid free web-based email systems to transact business.
- Enable multi-factor authentication to log into all email systems.
- Require employees to select unique and strong passwords or pass phrases.
- Require employees to change email passwords frequently.
- Require multi-factor authentication (e.g., email and telephone call) when receiving initial payment information.
- Require multi-factor authentication when receiving a request to change payment information.
- Send a confirmatory letter or email (not using the “reply” feature in email) concerning any request to change payment information.
- Delay payment in connection with any request to change payment accounts or a request to make payment to a foreign bank account.
- Review any request received by email to change payment accounts for signs that the email may be from a third party.
- Provide clear instructions to business partners concerning how payment information should be communicated.
If you are victimized by wire fraud, consider:
- Notifying the receiving bank and request that a freeze be placed on any remaining funds.
- Notifying law enforcement.
- Investigating whether your email system may have been compromised.
- Asking business partners to investigate whether their email systems may have been compromised.
- Determining whether your organization has a crime-fraud insurance or cyber insurance policy and, if so, whether it extends to wire transfer fraud.