Fund managers, real estate developers, and companies with investors are all acting as fiduciaries for their investor’s capital and have a duty to preserve trust and protect their clients’ interests. Wire Fraud is a direct and underappreciated threat to this duty, especially considering the financial and reputational damage associated with the crime.

Wire fraud laws are rather expansive, and are similar to those of mail fraud, except with the use of electronic communications. The crime, however, that targets fund managers and real estate operators is very specific and focuses on social engineering. At its most basic, it can be summarized as fake invoice fraud delivered with social engineering tactics.  The attacks range in sophistication from very basic phishing and spoofing attacks to much more advanced cases including business email compromise, ported cell phones and deep fake authorizations.

The attack tends to take advantage of how busy the targets are, often relying on the fact that wire security is an overlooked aspect of any deal, and few organizations have concrete controls in place. With deadlines looming, the bad guys insert themselves at the right moment using effective confidence tricks to steal your money.

One of the most important steps in protecting yourself is to acknowledge that any recourse and recovery is unlikely, making the only solution to work diligently on solving the wire fraud problem pre-loss.  The good news is there are existing best practices that protect your investors, their capital, and your business from this crime.

The Problem

Nearly $2 Billion was stolen last year in wire fraud, however, Conduit Security’s CEO, Ryan Castle, estimates the actual number is double that.  Why? The crime is under-reported as firms realize they are solely responsible for the loss and look to contain the damage the crime creates.

“Many companies make the logical decision to absorb the loss out of earnings once they realize they have no recourse.  The rule of thumb is whoever sends the wire has the liability, regardless of other factors.” says Castle.  “Surprisingly, this even extends to organizations who use 3^rd partly accountants.  Liability rests with the general partner or fund manager.  The criminals are so good now, they know how to pull the right levers to get your team to act.  It has evolved well beyond phishing or spoofing.  This crime happens every day to fastidious professionals at organizations with large cybersecurity budgets and works regularly across the spectrum of industries and company sizes.  With an increase in distributed teams and working from home, it is only going to get worse.”

Review of Best Practices

1. Review your Cyber and Crime Insurance Policies with your broker.  You need to have a crystal-clear understanding of your protections and your limits. Specifically ask if your policy has a social engineering clause and any restrictions or limitations for wire transfer fraud.
2. If you use a 3^rd party accountant or administrator, have a serious conversation and contract review with them around liability as it pertains to wire fraud.  What are their expectations and responsibilities when it comes to verifying instructions or recovering a lost wire? When are they and when are they not covering any losses?  We have experienced a lack of alignment among fund managers and their outsourced accounting teams on this issue.
3. Train your employees on the crime.   This is markedly different than standard phishing and security awareness training.  Do they understand the mechanics of the crime and how it works?  Have they seen real world examples that have “worked” in the wild?
4. Have a written policy in place that covers the process, roles, and responsibilities for all stages of electronic funds transfers.  Explicitly define what validations must be met for a transfer and the decision tree of why and when verification phone calls are made with recipients, teammates, and your bankers.
5. Turn on and optimize the existing protections that your bank provides.  This is important, but keep in mind that banking protections are better suited to solving embezzlement issues than wire fraud attempts.  In the crime of wire fraud, the victim organization always intends to send the funds, and that is a difficult problem for any bank to solve.

Ultimately the question that must be asked and answered internally is would the system you currently have in place stop an attack, every time? Think of your busiest employee, on her most hectic day, receiving a convincing invoice from the actual email of your counterparty. Furthermore, can you unequivocally prove you took the necessary steps and made the appropriate verification calls to that counterparty to a judge? If you can’t do these things, you are at risk.

Wire Fraud exists because companies, leadership and teammates are busy.  The stakes are high, the crime is not well understood, and the bad guys exploit this with both regular and astounding success.  If you would like help in training, auditing your team, or putting a written processes in place, please contact us at info@conduitsecurity.com.

Safe Wiring!