Risk Trend
This risk alert highlights a recent trend of criminals using fraudulent wire transfer schemes to target financial institutions and the steps that clients can take to mitigate this increasing risk. We have observed this trend affecting investment managers and funds, non-bank financial technology companies (“fintechs”), crypto custodians, and their clients, customers, and investors.
Attack Patterns
The primary goal of a fraudster is to prompt either a company or its customers to initiate a “wire transfer” (defined in the hyperlink) to a bank account controlled by the fraudster. Fraudulent wire transfer schemes can take any number of forms, including:
- The fraudster compromises a company’s systems and, posing as the company, directly instructs the company’s bank, broker, custodian, or other financial institution to wire funds to a bank account controlled by the fraudster.
- The fraudster compromises the company’s systems and, posing as the company, directs clients to wire funds to a bank account controlled by the fraudster.
- The fraudster compromises a company’s systems and, posing as a company executive, directs a company employee to wire the company’s funds to a bank account controlled by the fraudster.
- The fraudster compromises a customer’s systems or identity and directs the company to wire funds from the client’s account at the company to a bank account controlled by the fraudster.
These attacks are often perpetrated by sophisticated criminals, and many are conducted by state actors or state-backed organizations.
Prevention Measures
The best way to defend against these attacks is to introduce friction into the wire transfer process as a circuit breaker. This has the unfortunate effect of reducing efficiency, but fraudsters rely on efficiency to get in and get out before anyone knows what has happened.
The easiest way to introduce a circuit breaker into the wire transfer process is to integrate a telephone call requirement for each transfer (or each transfer above a certain dollar threshold). For each wire transfer you send, confirm via telephone call – i.e., speak to another human being – the amount and account number to which you are wiring funds. For each wire transfer you request from a customer or vendor, inform the counterparty that you will provide or confirm transfer instructions via telephone call and instruct them not to wire funds without telephone confirmation.
Larger organizations may be able to build more automated means of confirmation, such as one-time pass codes using two-factor authentication or a requirement to answer challenge questions. However, you choose to do it, the key is to interpose a circuit breaker of some kind.
Potential Consequences
The consequences of a fraudulent wire transfer can be dire. Wire transfers are a preferred attack vector because under Article 4A of the UCC, which governs wires, there are limited transaction reversal rights. By contrast, ACH transfers are subject to a greater number of transaction reversal rights, which can sometimes shift the liability for the fraud from the defrauded company to one of the banks involved in the transaction.
Typically, wire transfers cannot be reversed more than 24 hours following the transfer. The fraudster will usually abscond with the funds as soon as the transfer settles and it can be very difficult to trace the funds for recovery purposes. Once the money is gone, it’s usually gone for good.
Response Procedures
If you have been the victim of a wire transfer fraud, please inform your Seward & Kissel relationship partner, or Casey Jennings as soon as possible. Depending on the circumstances, you may need to alert law enforcement, your regulator, and affected customers. You will also likely need to engage a third-party forensic specialist to determine the attack vector and remediate any security vulnerabilities. Such engagements should be done through Seward & Kissel so that any communications, findings, or reports produced by the specialist are protected by the attorney-client privilege.
As always, consult your own internal policies and procedures for responding to a security issue. Regulators do not expect data security perfection, but they do expect entities to follow their internal procedures to a “T.”
If you have any questions, please reach out to your Seward & Kissel relationship attorney or Casey Jennings.