By: Amy Small, Senior Vice President and Executive Director of Institutional Custody at UMB Bank
Alternatives managers spend significant time and effort complying with rules designed to limit investor fraud. They also need to protect their own businesses against fraud.
Wire fraud is a particular danger that needs constant vigilance, whether your own team is executing wires or your team is giving instructions to a custodian to settle transactions. Real estate deals, private equity subscriptions, capital calls and global securities purchases all require special handholding to keep information safe and to settle transactions in a timely manner.
More than 80 percent of financial professionals in the U.S. reported their organizations were targets of fraud, according to the Association for Financial Professionals’ latest survey on payments fraud and controls.
Even more troubling, more than half of all organizations covered by the survey said they have experienced actual financial losses as a result of successful business email compromise schemes.
Nearly everyone is familiar with the term phishing. As commonly defined, phishing is sending an online message falsely claiming to be someone else, often including a request that the recipient take a detrimental action like downloading a malicious attachment or clicking a fraudulent link. Upon clicking or downloading the attachment, the attacker could gain access to sensitive data like login credentials and any privileges the victim holds.
Over time, most businesspeople have learned to identify suspect links in emails. Also, email filters have gotten better at spotting and discarding emails likely sent with malicious intent. But unfortunately, perpetrators have also grown more sophisticated. A subtype of phishing that has been “professionalized” in recent years is business email compromise (BEC).
About BEC and wire transfers
Wire transfer fraud has become so prevalent that the FBI recently issued a public service announcement regarding the issue. In this announcement, the FBI noted that this type of fraud has grown by more than 100 percent each of the past three years and that firm losses in 2018 alone eclipsed $12 billion.
In BEC schemes, there typically aren’t any malicious links at all. Rather, the objective is to find a way to impersonate a trusted decision maker. One common example is perpetrators impersonating a company executive and sending an email “as” that executive requesting completion of a wire transfer.
To maximize likelihood of success, perpetrators may conduct detailed research and extensive social engineering. Following is a brief excerpt from a recent Wall Street Journal feature on the rising dangers of BECs:
Many of the schemes are operated by groups in Lagos, Nigeria, some of whom work out of office parks, said Stephen Fullington, a supervisory special agent with the New York FBI who leads a team that works on business-email compromise cases. The groups have bosses who run the schemes and use a network of people that have learned various fraud techniques, he said.
Mr. Fullington recalled interviewing a Nigerian involved in an email scam. “He said, ‘You know how you guys play baseball when you are growing up? Here many of us learn fraud,’” Mr. Fullington said.
Gone are the days when a sloppily formatted email, not to mention an outlandish request from a “Nigerian prince,” was obviously fraudulent.
“Now the actors involved are a lot more sophisticated, and share intelligence and organized networks,” according to Michael Driscoll, special agent in charge of the cyber-and-counterintelligence division of the FBI’s New York office, as reported by the Wall Street Journal.
Could a wire transfer request “from you” be carried out?
Say a malicious actor has hacked your email and sent a request to your finance team to please wire funds to an existing partner of yours, as the timetable on the transaction has been moved up and you’d like to have the transaction completed prior to the next closing date. The amount requested for transfer is in line with other payments related to this investment or security.
Furthermore, say that “you” let your finance team know that you just received and are passing along new bank account details for the investment, which, says your email, has changed for a plausible reason.
How certain are you that wire transfer request won’t be fulfilled? After all, it’s coming from your actual email address (no spoofing involved), includes no suspicious links and makes a request to pay an existing firm that you may well have even had recent conversation about with these very finance professionals.
What you can do to stay protected
Following are basic protective measures to help your organization avoid financial losses to scams of this kind.
- Establish predefined payment instructions; never vary from those patterns unless changes are thoroughly verified.
- Strictly limit the number of employees in your organization who have the authority to approve and/or conduct wire transfers.
- Establish a protocol by which wire transfer requests sent by email are always validated by some other channel of communication or through a multi-factor authentication.
- Always verbally conﬁrm any changes in payment instructions for a vendor using contact data on record that does not come from the email. Maintain a non-electronic list of contacts at these vendors who you know to be authorized to approve wire instruction change requests.
- Whenever contacted by a bank to verify the wire transfer, delay the transaction until additional verifications can be performed.
- Require dual approval for any wire transfer request involving:
- A dollar amount over a speciﬁc threshold
- Trading partners who have not been previously added to a list of approved trading partners to receive wire payments
- Any new trading partners
- New bank and/or account numbers for current trading partners
- Wire transfers to countries outside of the normal trading patterns
- Educate your employees on BEC and the steps they can take to minimize risk
Finally, bank with partners you know. The bank payments team serving your organization should be familiar with your business and its normal patterns. That familiarity, together with diligent awareness and sophisticated fraud warning systems, helps protect you from a serious, rising threat.
UMB’s is among the nation’s leading institutional custodians. Our team offers a complete range of domestic and global custody services with a high-touch service model. Visit umb.com to learn how we can support your firm’s institutional custody needs, or contact us to be connected with a custody team member.
UMB is a sponsor of The DI Wire, and the article was published as part of their standard directory sponsorship package.