The $12 Billion Electronic Funds Transfer Fraud Problem: How to Recover Your Funds

The FBI and Secret Service are warning companies of significant reported increases in “funds transfer fraud,” a crime we believe is typically underreported suggesting the problem is much larger even than law enforcement is aware. Funds transfer fraud is a crime that leverages technical and social engineered attacks, over the internet or by phone, that involve fraudsters impersonating vendors, executives or banks to convince organizations to wire funds to accounts under the control of the criminal. Unsurprisingly, criminals are leveraging heightened interest and fear surrounding COVID-19 to take money from unsuspecting victims. They are also taking advantage of the confusion and disruption in ordinary business operations. In response, the Secret Service and the FBI have stepped up their efforts nationally, including for example, the Secret Service activating a Chicago COVID-19 Fraud Working Group (CCFWG).

Working with the Secret Service and the banks, it is often possible in the initial 24-72 hour window to reverse the fraudulent transfers and recover the funds. But, time is of the essence. In most cases, the money is no longer recoverable after a matter of days.

How Fraudsters Induce Fraudulent Transfers

The most frequent and easiest method used by criminals is to launch the transfer fraud attack through email phishing or spear phishing. For example, your company may receive an email from a vendor providing new wiring instructions for the funds and explaining that because of COVID-19 their bank has been working slowly and they are switching to a new account. You work with this vendor often, and don’t think to question this request. You wire the funds only to later find out that a hacker was impersonating an authentic vendor. The money is now heading for the fraudster’s account.

Fraudsters can also gain control of online banking transactions through malware or other techniques that allow hackers to take over user accounts and circumvent controls. The attack vector could be a spoofed email that contains a malicious link or attachment, which allows hackers to gain access to the company’s banking credentials (username, password, access to temporary PIN or token credentials). The hacker then logs into the website or portal and instructs the financial institution to transfer funds to a fraudulent account.

Is It Possible to Recover the Transferred Funds?

In some instances, but recovery typically depends on action being taken within 24-72 hours. If you become aware that your organization has wired funds to a fraudulent account, you should immediately gather the following information and contact the Ice Miller Data Security and Privacy team:
 

• Date of wire
• Amount of wire
• Victim Name
• Victim Account #
• Victim’s Bank
• SWIFT/IBAN #
• Beneficiary Account #
• Beneficiary Bank
• Beneficiary Name
• Country/Counties Involved
• A summary of the incident and any supporting documentation

Even when too much time has passed, the door to recovery is not completely closed. Additional avenues of recovery include: (1) Insurance coverage and (2) recovery from third parties who may have caused or contributed to the exploitation (perhaps the third party was hacked and your organization received fraudulent wire instructions from them).

How Can We Mitigate Against Funds Transfer Fraud?

Building an integrated data security program, with training that ties to your company’s financial and internal controls, is the best approach to mitigate the risks that transfer fraud entails. Done well, such an integrated enterprise risk management also helps to protect against other types of fraud and criminal conduct. We caution, in particular, that organizations handling large sums of money and transactions, such as retirement plans, real estate companies, manufacturers and financial institutions, are prime targets for these types of attacks. The criminals often know a great deal about how these companies operate and once they succeed against one, they will replicate their attacks against others.

If your organization experiences funds transfer fraud, please contact an attorney in the Data Security and Privacy practice immediately so we can help.

If your organization is interested in conducting a proactive risk assessment, please contact Nick Merker, a partner and chair of Ice Miller’s Data Security and Privacy practice, Guillermo Christensen, a partner in the Data Security and Privacy and White Collar practice based in DC and New York, or Tiffany Kim, an associate in the Data Security and Privacy practice. Specifically, we can assess whether losses from a fraudulently induced wire transfer would be subject to a sublimit or even covered at all. Further, we can analyze existing accounts payable processes for risks and recommend best practices to avoid these issues outright.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. It speaks only to guidance available as of May 13, 2020. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.