Last month, I got a call from a title insurance company closer. Our client and the other parties to a real estate transaction had just instructed the title company to go ahead with the recording of documents and disbursement of funds in accordance with the settlement statement. We had sent an email to the closer with wire instructions for the funds—and the closer was calling to ask me to confirm those wire instructions, including the ABA routing number and the account number, over the phone.
The closer explained that her company had instituted a policy of confirming all wire instructions by phone (using a phone number obtained from a source other than the wire instructions themselves). The title company was reacting to reports of scammers hacking into emails, replacing the original wire instructions with fraudulent instructions, and sending the hacked emails on to the intended recipient—resulting, of course, in funds being wired to the scammers and never getting to where they were supposed to go.
A few days later, The Wall Street Journal published an article headlined, Hackers Trick Email Systems Into Wiring Them Large Sums. According to the article, worldwide losses from scams involving false wire transfer instructions amounted to more than $1 billion from October 2013 through June 2015, and most of the losses were in the U.S. In some cases, cybercriminals implant malicious software that allows them to access an email system, which they then use to send false wire transfer instructions for a transaction that’s otherwise legitimate. The scammers also sometimes send emails from addresses that are almost identical to legitimate addresses but are off by one or two characters; the recipient, not noticing the error, complies with the instructions. Victims of this fraud have little recourse, and the funds are often quickly moved to foreign bank accounts that are hard to trace.
According to a January 2015 public service announcement by the FBI, this scam, which was formerly known as the Man-in-the-E-Mail Scam, has been relabeled as Business E-Mail Compromise, to highlight the “business angle” of the scam. One of the characteristics of the scam, according to the FBI, is that the fraudulent email requests for wire transfers are “well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.”
What steps can you take to avoid becoming a victim of this scam?
- Before sending any wire, review the applicable invoice and request for wire very thoroughly.
- Contact the party who is supposed to receive the wire, in order to confirm the wire instructions before sending the wire.
- Use a secure messaging system when you are sending wire transfer instructions.
- And, of course, always use secure passwords for your email accounts.