As the public becomes more savvy about protecting themselves from fraud – in part due to the assistance of increasingly sophisticated anti-virus and anti-phishing software – thieves are becoming more and more creative about new ways to steal. A disturbing new trend is that some thieves are beginning to directly target financial advisors and their clients – as famous bank robber Willie Sutton noted, if you want to get rich by stealing, go to where the money is! Accordingly, financial advisors and investment custodians have seen a noticeable increase in attempts at fraudulent wire transfers by "spoofing" – where a request sent “from the client” is actually a spoof from a fake-but-similar email account (or sometimes is even the client’s actual account!), and asks the advisor to process a wire transfer to a third party bank account. By the time anyone realizes the request was fake, the money is already gone, the transfer cannot be unwound, and the wire fraud theft is complete. In response, it’s crucial for advisors to review – and potentially change and improve – their processes and procedures to ensure a wire transfer request is legitimate before acting upon it, especially in scenarios where the transfer is going to a third party. Fortunately, some best practices are emerging about how to avoid these kinds of client disasters!
The inspiration for today’s blog post is an increasing number of incidents I’m hearing from colleagues regarding attempted wire fraud by spoofing – where thieves posing as clients send in requests to the client’s financial advisor requesting a wire transfer. Except the transfer request is a fake, and if the money is really transferred to the (thief’s) third party account, it’s gone for good.
Typical Wire Fraud Request
A typical wire fraud request might ask for a “moderate” sum to be sent (e.g., $25,000), via wire transfer, to a third party account (i.e., transferring to a bank account not owned by the client). Most often, the request is submitted via a fake email address that looks very similar to the client’s real address; for instance, instead of firstname.lastname@example.org, it might be email@example.com, or even cIient@gmail.com (in case you couldn’t tell, the second letter in the latter example isn’t a lower case “L”, it’s an upper case “i” - in some fonts, they look precisely identical!).
In the even more insidious scenario, the email actually comes from the client’s real email address, because the client’s own email address has been hacked/compromised! In such scenarios, the thief uses the client's own email account to submit the transfer request, often by looking through old saved emails and/or the Sent folder to find details about where the financial accounts are held and what advisor(s) the individual works with. Thus, the email may be sent directly from the client’s account, addressed on a first name basis to whoever the client typically works with; if there’s been a wire transfer request in the past, the thief may even simply copy the format of the old email to capture the client’s writing style!
Of course, any wire transfer will require the client’s signature on the document as well. In some cases, the signature is simply forged. In other scenarios, the thief may find a prior wire transfer request the client signed (e.g., in the Sent folder), and print the document, change the target transfer account to the thief’s own, re-scan the document, and re-send it (or in some cases, simply Photoshop it directly).
Thus, it’s entirely possible to receive a wire transfer request, from the client’s own email account, with the client’s own signature, and the client’s own “typical” email writing style – except the whole request is actually a fraud. And once the money leaves the account, it’s virtually impossible to get it back.
Combating Wire Fraud
To say the least, most advisors don’t want to be in a position where they executed a wire transfer for a client that turned out to be fraudulent, sending the client’s money irrevocably out of the account by acting on false orders. That’s a tough thing to explain to a client!
Accordingly, some steps to fight and prevent wire fraud attempts include:
- Pay special attention to wire transfers that are going to a third-party account (as opposed to the client’s existing and known bank accounts, which generally would not be an issue). Be especially cognizant of transfer requests that don’t appear to be tied to a known client transaction or activity (e.g., a wire transfer to a third-party title company is one thing, especially if the client is in the midst of a real estate transaction; a wire transfer to a third party’s personal bank account with a name you have never heard of, is another).
- Check and double-check any email addresses for wire transfer requests, to verify it’s a legitimate email address, especially in the case of third-party wire transfer requests.
- Verify the client’s signature on the form by comparing it to prior signed documents (custodians are increasingly scrutinizing this as well).
- Watch for suspicious indicators in the transfer request or the email address, such as “I’m unable to be reached by telephone today, please execute this transfer immediately” (as the thief is hoping the transfer will be processed without verification)
- Follow up with a phone call to verify the request. Use the existing phone numbers you have on record for the client, not any phone number that is included in the email. Some thieves have been so brazen as to include a contact phone number to confirm the request, inviting staff to contact the thief directly to get a (fake) verbal authorization! Ideally, ensure that the person making the confirmation call is someone who has worked with the client in the past, and would recognize the client’s voice, to confirm it really is the client.
- Transfer documents securely, with encryption and password protection. Bear in mind that the security issue here is not only that the document with important information might be intercepted (which is why encryption matters), but that the client’s email address might be compromised, allowing the thief to grab the file from the client’s saved email or sent files (which is why password protection matters). In addition, be certain that secure transfers go both ways - clients sending scanned copies of documents with signatures should be sending with encryption and password protection as well! Remember, if only takes one weak point in the chain for it to be broken, and in many cases it's actually the client's account that is the weak link.
- Consider using a client vault as a secure place to share and transfer documents requiring signatures, rather than via email. Alternatively, or in addition, consider a service like Sharefile to ensure that only links to documents held in a secure, password protection location are sent, rather than the files themselves as attachments. (Click here for a good review of Sharefile by technology consultant Bill Winterberg.)
- Educate clients about how to protect themselves, including the secure transfer of files, password protection on files they receive and send, and proper password protection for the email account itself, as well as running proper anti-virus and anti-malware software protection.
By far, the most common verification being used - besides scrutinizing the paperwork itself and the signature - is to place an outbound call to the client at a known number to verify the request. Although as noted earlier, ideally you should have a staff member on the call who can recognize the client's voice, as in some situations a thief with access to a client's email address can actually re-route their cell phone number to the thief's phone! For some further security tips, check out technology consultant Bill Winterberg's tips regarding this problem as well.
Fortunately, the reality is that most clients do not make frequent wire transfer requests, and especially not to third parties; as a result, any wire transfer to a(n unknown) third party often stands out, inviting additional due diligence. Nonetheless, the reality is that thieves appear to be beginning to specifically target either clients of financial advisors, or wealthy people in general by seeking out their financial advisors as a weak point, in order to commit wire fraud. If you haven’t seen an incident like this occur already, there’s a high risk and probability that you will soon; either way, the custodians certainly have, so be understanding when they ask for additional confirmation regarding "suspicious" transfers (even if/when they turned out to be legitimate!).