ALERT: According to the FBI, wire transfer fraud could be eliminated with a simple wire transfer procedure of phone call to the recipient and exact match payable information check.

The Laundromat is probably one of the best movies about money laundering. Based on one of the biggest financial leaks in history, the movie exposes the true nature of wealth, hidden behind front companies, no-name trusts, and offshore financial structures. The Netflix movie gives a good overview of money laundering methods, including setting up offshore companies in palm-fringed tropical island tax havens, moving money across continents with wire transfers in the blink of an eye, forging identities, and avoiding taxes.

Wire Transfers Explained

A wire transfer is an electronic transfer of funds via a network of banks and transfer service agencies around the world. Wire transfers are common for large transactions like individuals buying a home or businesses making significant purchases. A wire transfer consists of instructions about who will get the money, including the recipient’s bank account number and how much the recipient should get. Wire transfer funds are available when received with no hold, including several caveats to consider:

• Domestic wire transfers are processed the same day, usually within hours. Intenational wire transfers can involve intermediary banks and take more than a day.
• Wire transfers often include a flat fee like $25 and international transfers will also incur currency exchange rate fees.
• Wire transfers cannot be cancelled, except for international wire transfers within 30 minutes.
• FDIC insurance does not cover wire transfers that do not reach the intended beneficiary.
• Wire transfers are often used in fraud schemes and if you send money to the wrong person, then the money is generally a loss.

Wire Transfer Best Practices

WARNING: Wire transfers are NOT like using Apple Pay to buy a $2 cup of coffee.

If your company utilizes wire transfers, you must have company-wide policies designed to increase employee awareness about the prevention of wire transfer fraud that incorporate the following best practices:

• Educate your employees with weekly data breach training, monthly phishing tests, and annual risk training.
• Slow down and exercise intense scrutiny to follow your company process for requests for changes, immediate action, or lack of availability by phone.
• Verify the authenticity of each wire transfer request after verifying all accounts payable information matches and by calling the person before and after the transfer using a number you have previously called — not one from the current wire transfer request.
• Do NOT email wiring instructions. Use regular mail, phone or fax instead.
• Scrutinize all email correspondence regarding wiring funds: Who is requesting and why are they requesting.
• Require company e-mail accounts and not public domain email accounts like gmail.com for wire transfer requests and other business purposes.
• Use only encrypted email for correspondence of any sensitive information like purchase orders or invoices.
• Implement dual control (2-person authorization) and segregation of duties with both verifying the information and one person receiving the request for funds while a second person then authorizing the release of funds.
• Implement two-factor authentication for logging into your computer and business apps including email.
• Implement a cybersecurity risk program with a minimum of annual review and update by a vetted third-party.
• Review your business insurance policy for coverage of financial losses due to employee negligence for errors and omissions or cyber liability.
• Know your customers, their reasons for initiating or requesting wire transfers, and their habits regarding such wire transfers.

Most importantly, before any wire transfer is initiated, stop, review and confirm that the information and the situation is consistent with your policies, and only then release funds. If there is any doubt, do NOT initiate the wire transfer.

Wire Transfer Policy and Procedures

WARNING: A different business or individual name for the recipient often called Doing Business As (DBA) is a huge red flag of a wire transfer scam.

Note: This template is provided as a general guideline and should be customized to meet the specific needs and regulations of your organization. Consult with legal and financial experts to ensure compliance with applicable laws and industry standards.

Incredibly, many victims of wire transfer fraud and even supposed cybersecurity “gurus” don’t have a documented or practiced wire transfer process. Wire Transfer Policy and Procedures should be included in acknowledgment of annual Risk Exam program for employees.

Common Wire Transfer Fraud Scenarios

ALERT: According to the World Economic Forum, over 95% of breaches or disclosure of confidential information are due to human error, rather than less than 5% attributed to “hacking” or exploiting vulnerabilities in a computer system by cybercriminals.

Scenario 1: Business Working with Foreign Vendor

A business with a long-standing relationship with a vendor receives an email request with new wire transfer instructions to wire funds for an invoice payment. This is an example of a spoof email request; it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. For example: abuttchen@vendorcompany.com vs. abuttchen@vendorcompony.com. The variation is slight, however, easily and often overlooked. In the event that this request was received via fax or telephone, it would have closely mimicked a legitimate request. This particular scenario has also been referred to as “Invoice Modification Scheme,” “The Supplier Swindle,” or “The Bogus Invoice Scheme.”

Scenario 2: Business Executive Receiving Or Initiating A Request For A Wire Transfer

The email account of a high-level business executive (CEO, President, etc.) was compromised. In this case, the email account was spoofed or hacked. An employee responsible for processing payment requests receives a request for a wire transfer from the compromised email account. Without questioning it and concern about bank transfer fraud protection, the employee processes the wire transfer. It is not uncommon for this employee to receive wire transfer requests from the CEO via email. In some instances, a request for a wire transfer from the compromised email account is sent directly to the financial institution with instructions to immediately send funds to another bank for “X” reason. This particular scenario has also been referred to as “CEO Fraud,” “Masquerading,” “Business Executive Scam,” or “Financial Industry Wire Frauds.”

Cautionary Tale: Wire Transfer Fraud Loss

WARNING: Only YOU can prevent wire transfer fraud by simply stopping to verify information on file and calling the recipient.

It’s an all-too-common cautionary tale. Perry, a licensed professional with the state of Kansas, receives an e-mail and calls Citibank to initiate a wire transfer of $763,897 to a vendor in Spain. His firm was new and everyone did whatever they could to help out. What he didn’t know until 45 days later was that the e-mail was fake and that he had paid scammers – and had no way to recover the money!

As a principle in the firm, Perry takes a vacation to Indonesia to think and comes up with a plan to fire an underling for the mistake and contact his lawyer for a scheme to blame his IT support. The only problem was that Multi-Factor-Authentication (MFA) or password protection had nothing to do with him initiating a wire transfer, clicking on a fake link to login and then not reporting it, or sending unencrypted financial information across the Internet and receiving obvious fake e-mails back without reading them to make not one but multiple errant wire transfers to unintended recipients.

ALERT: Every individual is responsible for protecting data and securely performing their job duties. Neither your banker, accountant, insurance agent, lawyer, or IT consultant are responsible for replying to your e-mail or performing your online and financial transactions.

Why would scammers risk hacking a system when they could simply send some e-mails to see if the dummy would pay them? Although the suit wasn’t immediately dismissed, the judge moved for summary judgment for the defendant after many months and depositions. It became very obvious that Perry and his lawyer created a scheme to defraud the state. In the United States, courts say the party in the best position to discover the fraud should bear the loss.

Perry breached his password without reporting it. Then breached confidential client financial information sending unencrypted e-mails. Followed by losing client funds to errant wire transfer recipients, without simply picking up the phone to call and verify the largest banking transaction he’d ever made. The State Licensure Board declared Perry a “Menace to Society” and revoked his professional license.

Today, Perry rides his bicycle to his job as a Wal-Mart greeter, the only job he can get because of his public record of low character and revoked professional license. Estranged from his family in a one-bedroom apartment in Section 8 housing, he simply bikes to Happy’s Liquor Store or Wal-Mart. It’s a cautionary tale of arrogance, ignorance, and a lack of common sense.

Published by Kevin Fream

Many people don't understand their current situation and become frustrated in business and life, so I created the Delta Method and wrote the #1 Best-Seller "Change Your Game" - as featured at Harvard and NASDAQ as well as national TV news. Streamline your technology for competitive advantage using vetted IT support and take a divergent approach to personal growth. View all posts by Kevin Fream