It used to be that banks only had to worry about old-fashioned robbers with a mask and a gun. Today’s sophisticated network hackers have presented banks and their customers with an entirely different adversary. Despite increased attention and preventive measures, losses from the compromise of business email and related wire transfer fraud cost Americans over $1.8 billion in 2020, according to FBI estimates. Considering that wire transfer fraud is often underreported, the losses are obviously significant and even sophisticated businesses are getting scammed.
Typically, a fraudster hacks into a company’s network and determines its wiring habits and processes. They then impersonate the owner or a senior executive and send wire instructions to the company’s bank that are like what has been done before. They even capture the executive’s own cursive signature from other scanned documents to electronically place it on wire transfer instructions. Often, the hacker also tracks the executive’s travel plans so they are out of the office when the fraud is initiated. Having received what looks like a legitimate transfer request, the company’s bank then wires the money to the fraudster’s bank, usually overseas, where it is usually withdrawn immediately.
Is the bank liable to its customer? Maybe. The Uniform Commercial Code provides generally that banks bear the risk for fraudulent payments but that the risk can be avoided if “commercially reasonable” security procedures have been implemented. Whether something is “commercially reasonable” depends on the facts of each case, but the standard can usually be met by entering into a wire transfer agreement with the customer that specifically states what is required to authorize the bank to send a wire on the customer’s behalf. Banks should then follow the agreed upon procedures to the letter.
Both banks and customers should also:
- Verify: Always verify information, even from trusted sources.
- Use verification calls. Use independently verified phone numbers to confirm wire instructions verbally. Do not rely on email alone or trust information in an email. In most cases, a simple phone call could have uncovered the fraud.
- Be suspicious. Question any wire transfer going to a location different from the party receiving the funds.
- Train employees. Train employees to identify signs of fraudulent emails such as variations in addresses.
- Report immediately. When a fraudulent wire is realized, report it immediately through clearing banks and to the FBI. Although rare, it is sometimes possible to catch the funds before they are gone forever.
* This article first appeared in The Journal Record on November 10, 2021, and is reproduced with permission from the publisher.