4 minutes
Reliance on electronic communication gives hackers an opportunity to redirect funds.
Sponsored by Kaufman & Canoles
Wire fraud is not a new crime. Many criminals have engaged in this activity in the past and will continue to do so in the future. But wire fraud has taken a new twist in the age of electronic communication.
We have seen hackers spoof emails and send instructions from what appears to be an executive to an administrative assistant or the accounting department with instructions to wire thousands of dollars to a particular account. If the wire is sent, the funds are unlikely to be recovered unless the FBI is notified within a very short period of time. Typically, the financial institution is not liable for the misdirected funds, because its account agreement contains language allowing it to rely on the client’s instructions. On that note, credit unions should review their account agreements with members to ensure they are able to rely upon the instructions given by a member, or that appear to be given by a member.
More recently, hackers have begun injecting themselves into transactions, such as real estate and commercial transactions between sellers and buyers. If a hacker is able to obtain the credentials of a lawyer, real estate agent or company inside—and this is not difficult for those who are adept at phishing and social engineering—then the hacker has access to details about the transaction, such as the parties involved, their email addresses and the property or assets to be sold.
Once the hacker has access to a party’s email, he can easily set up filtering rules that direct emails intended for that party to the hacker’s own account—the intended recipient may never see incoming emails from a client. Lack of access to a party’s email is not necessarily a problem either, as a hacker can spoof email so that it appears to come from the lawyer, agent or involved party. At first glance, a spoofed email appears to show the name or email address of a legitimate sender; however, the actual address is different from the name that appears in the email. When the email recipient replies, the reply goes directly to the hacker.
So, what about the money? Once the hacker has access to the parties, he just lies in wait, waiting to strike when the involved parties provide wiring instructions or are told to wire funds. The hacker intercepts the communication, interjects his own wiring instructions and the funds are soon on their way to his account.
If you think this can’t happen to you, please think again. A justice on the New York Supreme Court recently fell for this exact scam in the course of selling her apartment and buying another. Upon receiving an email containing wire instructions that she thought was from her lawyer, she wired $1,057,500 to an account. The funds were then forwarded to Commerce Bank of China. The matter continues to be under investigation.
Steps can be taken to help prevent fraudulent transfers. If wire transfer requests are permitted by email or phone, credit unions should consider implementing a verification process. CUs can also establish parameters that require an in-person request for transfers over a certain dollar amount.
In our haste to close one transaction and move to the next, our reliance on electronic communications may become our downfall. We rush to respond to emails, finalize last minute details, have documents signed and get transactions in order to close, all by way of electronic communication. When the time comes to wire funds, it is a best practice to actually pick up the phone and confirm the wiring instructions. This can save all of the parties involved a lot of headache, not to mention potential legal action and liability.
Nicole J. Harrell is member of Kaufman & Canoles’ Norfolk office and Chair of the Data Privacy & Security Practice Group. Harrell regularly assists clients with cyber preparedness and breach response. Her practice includes counseling clients on preparing for a cyber incident, coordinating forensic analysis, assisting with media announcements, developing response plans and notifications, and working on cyber insurance coverage and claims. She also regularly reviews and negotiates third-party vendor contracts for data security and privacy concerns. She can be reached at (757) 624.3306 or njharrell@kaufcan.com.
The Kaufman & Canoles Credit Union Team serves as general counsel to credit unions, large and small, regularly advising clients on consumer compliance issues, NCUA requirements, and the rules governing credit union service organizations. For more information about our team visit www.kaufcan.com.
