Sophisticated scam targets lawyers and wire transfers
Never trust a last-minute email that changes the original wiring instructions for transferring client funds.
Instead, pick up the phone and call the contact person who provided the original instructions to personally verify the routing and account numbers to be used.
That’s the advice from John Fisher, CEO of First American Bank in Naples, who reports that twice in the past few months, lawyers involved in real estate transactions have been swindled into wiring money to fraudulent accounts.
“the time the receiving party realizes they did not get the money, the money is gone,” Fisher said.
Here is how the scam works, according to an alert issued by the National Association of Realtors:
“Criminals are hacking into the email accounts of real estate agents or other persons involved in a real estate transaction and using information gained from the hack to dupe a party into a fraudulent wire transfer. The hackers often send an email that appears to be from an individual legitimately involved in the transaction, informing the recipient, often the buyer, that there has been a last-minute change to the wiring instructions. Following the new instructions, the recipient will wire funds directly to the hacker’s account, which will be cleared out in a matter of minutes. The money is almost always lost forever.”
While banks do a good job with authentication and validation, Fisher said, if you provide the bank with a wrong account number, the funds will be wired to the wrong account.
“As long as you are the authorized person and you have the codes and you complete the process, the bank is going to send the money to wherever you tell it to,” said Fisher, adding that if that wrong account is controlled by the hacker, the funds will quickly disappear.
“In two instances now for our bank, that is exactly what has occurred. It tells me the fraudsters are monitoring emails for weeks if not months and, right at the last second, they send an email that looks like it is from a legitimate party — but it is not — and they change the account number. So it goes to the correct bank, but the wrong account number.”
To be safe, Fisher said, always assume your emails have been compromised.
“If I’m the buyer or the attorney of the buyer and I’m going to send that wire, I want to know the name of the banker and I’m going to independently look up [the bank’s] telephone number and ask to be connected to speak to that banker to verify the instructions are correct,” Fisher said. “In the instances we have seen, had that second level of validation been done telephonically, it would not have occurred.”
Florida Bar CFO Cynthia B. “Marcy” Jackson said many organizations that use wire transfers as a routine payment form learned many years ago to build security features into their wiring procedures.
“Best practice is to always verbally confirm with the original contact before making any changes to the originally provided wiring instructions,” Jackson said. “Many times, there can even be a pre-approved change code that both parties agree to use. This information is stored in a secure fashion by both parties and should not be communicated over the internet.”
Another approach, Jackson said, is to have security questions that must be answered before the original wiring instructions can be modified.
The Florida Bar Practice Resource Institute (PRI) posts tips and links to other resources for Florida Bar members to use to protect themselves from fraud and their computers from malware on its webpage at pri.floridabar.org. The information on the PRI webpage is updated frequently with additional resources related to cybersecurity.
The FBI refers to these scams as business email compromise (BEC), a growing financial fraud that is more sophisticated than any similar scam the FBI has seen before and one — in its various forms — that has resulted in actual and attempted losses of more than $1 billion to businesses worldwide.
“BEC is a serious threat on a global scale,” said FBI Special Agent Maxwell Marker, who oversees the Bureau’s Transnational Organized Crime–Eastern Hemisphere Section in the Criminal Investigative Division. “It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.”
Since the FBI’s Internet Crime Complaint Center began tracking BEC scams in late 2013, it has compiled statistics on more than 7,000 U.S. companies that have been victimized — with total dollar losses exceeding $740 million, according to an FBI alert. That doesn’t include victims outside the U.S. and unreported losses.
According to the FBI, since the beginning of 2015, there has been a 270 percent increase in identified BEC victims.
“They know how to perpetuate the scam without raising suspicions,” Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these emails having horrible grammar and being easily identified are largely behind us.”
If you have been victimized by a BEC scam, the FBI says it is important to act quickly. Contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent. Next, call the FBI and file a complaint — regardless of dollar loss.