As the public becomes more savvy about protecting themselves from fraud – in part due to the assistance of increasingly sophisticated anti-virus and anti-phishing software – thieves are becoming more and more creative about new ways to steal. A disturbing new trend is that some thieves are beginning to directly target financial advisors and their clients – as famous bank robber Willie Sutton noted, if you want to get rich by stealing, go to where the money is! Accordingly, financial advisors and investment custodians have seen a noticeable increase in attempts at fraudulent wire transfers by "spoofing" – where a request sent “from the client” is actually a spoof from a fake-but-similar email account (or sometimes is even the client’s actual account!), and asks the advisor to process a wire transfer to a third party bank account. By the time anyone realizes the request was fake, the money is already gone, the transfer cannot be unwound, and the wire fraud theft is complete. In response, it’s crucial for advisors to review – and potentially change and improve – their processes and procedures to ensure a wire transfer request is legitimate before acting upon it, especially in scenarios where the transfer is going to a third party. Fortunately, some best practices are emerging about how to avoid these kinds of client disasters!
The inspiration for today’s blog post is an increasing number of incidents I’m hearing from colleagues regarding attempted wire fraud by spoofing – where thieves posing as clients send in requests to the client’s financial advisor requesting a wire transfer. Except the transfer request is a fake, and if the money is really transferred to the (thief’s) third party account, it’s gone for good.
Typical Wire Fraud Request
A typical wire fraud request might ask for a “moderate” sum to be sent (e.g., $25,000), via wire transfer, to a third party account (i.e., transferring to a bank account not owned by the client). Most often, the request is submitted via a fake email address that looks very similar to the client’s real address; for instance, instead of [email protected], it might be [email protected], or even [email protected] (in case you couldn’t tell, the second letter in the latter example isn’t a lower case “L”, it’s an upper case “i” - in some fonts, they look precisely identical!).
In the even more insidious scenario, the email actually comes from the client’s real email address, because the client’s own email address has been hacked/compromised! In such scenarios, the thief uses the client's own email account to submit the transfer request, often by looking through old saved emails and/or the Sent folder to find details about where the financial accounts are held and what advisor(s) the individual works with. Thus, the email may be sent directly from the client’s account, addressed on a first name basis to whoever the client typically works with; if there’s been a wire transfer request in the past, the thief may even simply copy the format of the old email to capture the client’s writing style!
Of course, any wire transfer will require the client’s signature on the document as well. In some cases, the signature is simply forged. In other scenarios, the thief may find a prior wire transfer request the client signed (e.g., in the Sent folder), and print the document, change the target transfer account to the thief’s own, re-scan the document, and re-send it (or in some cases, simply Photoshop it directly).
Thus, it’s entirely possible to receive a wire transfer request, from the client’s own email account, with the client’s own signature, and the client’s own “typical” email writing style – except the whole request is actually a fraud. And once the money leaves the account, it’s virtually impossible to get it back.
Combating Wire Fraud
To say the least, most advisors don’t want to be in a position where they executed a wire transfer for a client that turned out to be fraudulent, sending the client’s money irrevocably out of the account by acting on false orders. That’s a tough thing to explain to a client!
Accordingly, some steps to fight and prevent wire fraud attempts include:
- Pay special attention to wire transfers that are going to a third-party account (as opposed to the client’s existing and known bank accounts, which generally would not be an issue). Be especially cognizant of transfer requests that don’t appear to be tied to a known client transaction or activity (e.g., a wire transfer to a third-party title company is one thing, especially if the client is in the midst of a real estate transaction; a wire transfer to a third party’s personal bank account with a name you have never heard of, is another).
- Check and double-check any email addresses for wire transfer requests, to verify it’s a legitimate email address, especially in the case of third-party wire transfer requests.
- Verify the client’s signature on the form by comparing it to prior signed documents (custodians are increasingly scrutinizing this as well).
- Watch for suspicious indicators in the transfer request or the email address, such as “I’m unable to be reached by telephone today, please execute this transfer immediately” (as the thief is hoping the transfer will be processed without verification)
- Follow up with a phone call to verify the request. Use the existing phone numbers you have on record for the client, not any phone number that is included in the email. Some thieves have been so brazen as to include a contact phone number to confirm the request, inviting staff to contact the thief directly to get a (fake) verbal authorization! Ideally, ensure that the person making the confirmation call is someone who has worked with the client in the past, and would recognize the client’s voice, to confirm it really is the client.
- Transfer documents securely, with encryption and password protection. Bear in mind that the security issue here is not only that the document with important information might be intercepted (which is why encryption matters), but that the client’s email address might be compromised, allowing the thief to grab the file from the client’s saved email or sent files (which is why password protection matters). In addition, be certain that secure transfers go both ways - clients sending scanned copies of documents with signatures should be sending with encryption and password protection as well! Remember, if only takes one weak point in the chain for it to be broken, and in many cases it's actually the client's account that is the weak link.
- Consider using a client vault as a secure place to share and transfer documents requiring signatures, rather than via email. Alternatively, or in addition, consider a service like Sharefile to ensure that only links to documents held in a secure, password protection location are sent, rather than the files themselves as attachments. (Click here for a good review of Sharefile by technology consultant Bill Winterberg.)
- Educate clients about how to protect themselves, including the secure transfer of files, password protection on files they receive and send, and proper password protection for the email account itself, as well as running proper anti-virus and anti-malware software protection.
By far, the most common verification being used - besides scrutinizing the paperwork itself and the signature - is to place an outbound call to the client at a known number to verify the request. Although as noted earlier, ideally you should have a staff member on the call who can recognize the client's voice, as in some situations a thief with access to a client's email address can actually re-route their cell phone number to the thief's phone! For some further security tips, check out technology consultant Bill Winterberg's tips regarding this problem as well.
Fortunately, the reality is that most clients do not make frequent wire transfer requests, and especially not to third parties; as a result, any wire transfer to a(n unknown) third party often stands out, inviting additional due diligence. Nonetheless, the reality is that thieves appear to be beginning to specifically target either clients of financial advisors, or wealthy people in general by seeking out their financial advisors as a weak point, in order to commit wire fraud. If you haven’t seen an incident like this occur already, there’s a high risk and probability that you will soon; either way, the custodians certainly have, so be understanding when they ask for additional confirmation regarding "suspicious" transfers (even if/when they turned out to be legitimate!).
Be prepared, so you can catch the problem on behalf of your client before it’s too late!
Joseph Alotta says
The fact that you are even writing this posting is very strange to me. It seems you know a lot of advisors who transfer so much money every day that they are unaware of the actual desires of the client. I put relationship first and I don’t get any wire requests that I am not expecting and without knowing why the client is doing it.
Michael Kitces says
What if the request comes in the afternoon, the client says the transfer is important, and you’re in a meeting? Would your staff disregard timely client requests just because you’re not available at the time? Do you oversee every cash flow transfer of every client, every day of the year?
Most planners do not oversee their administrative staff at that level of detail – not to review 100% of transactions that have time urgency from the client (which in some cases is legitimate).
Or worse, what happens if a client makes a request to move $10,000 from a $3,000,000 account while you’re on vacation? Do staff track you down for every request?
In some practices that may be the case, but as practices grow that starts to become very impractical and actually degrades client service with (unnecessary?) delays.
Mike Hodell says
Thank you for writing about this issue.
The firm I work for has a policy that prohibits advisors from accepting instructions through email, voicemail, and fax. In all cases, we must speak to or receive written instructions with an original signature from the client(s).
We share this policy with clients regularly so that we can hopefully avoid the emergency situation you describe.
It is not a policy without its drawbacks, but I do not know of a better one that protects clients, advisors, and their firms.
Thank you for all you do to make us better advisors to our clients.
Daniel Bauer says
We’ve had this happen a few times, where we received wire transfer requests via email from the client’s actual email address. In both cases, they were obvious fraud attempts, because we know our clients.
I think this is a very easily-preventable situation. A firm need only dictate that any third-party check requests require both verbal and written instructions, and the verbal instructions must be accepted by a person at the firm who knows the client (i.e. the primary advisor or service person).
I don’t work in a huge office, but no service person here would be allowed to handle a third-party money withdrawal request without consulting the advisor on the case first.
– Dan Bauer
I am reading this article because I am a victim of unauthorized wire transfers.
I am on vacation, my email got hacked, hacker/s emailed my bank instructed them to send out 3 yes 3 wire transfers, a total of about $52k to three different accounts of people I have no knowledge of whatsoever.
Two of the transfers were dig out of my line of credit. What shocked me was that the banker/s didn’t once ask the scammer/s a single question to verify his identity. I know that from all the emails that gmail has been able to retrieve for me.
I thought that wire transfer require a signature? I thought that the bank employee would verify the identity the person on email by asking at last 4 digits SS # or my mother’s maiden name etc. The bank employee also gave the detail of my account to the thief on email without verifying his identity. The thief never once mention my account # all he did was asked the bank to send him/her the balances on my accounts and the bank gave him/her every little detail of my accounts information. The bank was not able to reach me on the phone but they could have emailed me on my other email address they have on file.
I feel broke, violated and sad. I expect the bank will reimburse me but what is my stand legally if they don’t. I live in Mi.