Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account.
Wire fraud scams often victimize two businesses – the business that expected to receive payment, and the business that thought they had made payment. The scam can cause significant contractual disputes between the victims as to who should bear the loss.
Steps to help avoid wire fraud scams:
1. Avoid free web-based email systems to transact business.
2. Enable multi-factor authentication to log into all email systems.
3. Require employees to select unique and strong passwords or passphrases.
4. Require employees to change email passwords frequently.
5. Require multi-factor authentication (e.g., email and telephone call) when receiving initial payment information.
6. Require multi-factor authentication when receiving a request to change payment information.
7. Send a confirmatory letter or email (not using the “reply” feature in email) concerning any request to change payment information.
8. Delay payment in connection with any request to change payment accounts or a request to make payment to a foreign bank account.
9. Review any request received by email to change payment accounts for signs that the email may be from a third party.
10. Provide clear instructions to business partners concerning how payment information should be communicated.
If you are victimized by wire fraud, consider:
1. Notifying the receiving bank and request that a freeze be placed on any remaining funds.
2. Notifying law enforcement.
3. Investigating whether your email system may have been compromised.
4. Asking business partners to investigate whether their email systems may have been compromised.
The following provides snapshot information concerning wire transfer fraud.
The number of businesses victimized by wire transfer fraud.1
The amount of money lost in the US due to wire transfer fraud.2
Percentage of businesses that were the subject of attempted or actual wire transfer fraud.3
 Federal Bureau of Investigation, Alert No. I-082715a-PSA (August 27, 2015), http://www.ic3.gov/media/2015/150827-1.aspx#fn2 (time period for reporting 10/1/2013 – 8/1/2015).
 Association for Financial Professionals, 2014 AFP Payments Fraud and Control Survey Report of Survey Results, 6 (Apr. 2014), http://www.regions.com/virtualdocuments/2014_AFP_Payments_Fraud_Survey.pdf.