Wire Transfer Fraud: It Could Happen to You

In August, my colleague Nidhi Rao discussed a deceptive breed of phishing scheme that is becoming commonplace in the nonprofit sector. In fact, such schemes have become so routine, the scenario below may seem familiar:

An employee—we’ll call her Jessica—was out of town when the she received an urgent request from her company’s Chief Executive Officer—Scott—to send a wire transfer to a vendor in Hong Kong. She read the email on her cell phone and quickly replied that she would handle it as soon as she could get to her laptop to connect to the bank’s website. When Jessica asked for the vendor’s invoice, Scott replied that he would provide it later in the week when he got back to the office. Jessica initiated the wire transfer with the bank for $154,290.

The following day, while in her office, Jessica received a second email from Scott requesting another wire transfer to the same vendor in Hong Kong for a similar amount to the pay the balance of the invoice. Once again, Jessica initiated the wire transfer.

A week later, Jessica followed up with Scott in the office to get the invoices supporting the two wires she sent the week prior. Scott was confused by Jessica’s questions, as he was unaware of the invoices or the wire transfers. He escalated his concern to the Company’s Board of Directors, who immediately launched an internal investigation. The Board wanted to know exactly what happened. Were employees willing participants? Were similar disbursements made in the past? How could the company prevent this in the future?

In recent years, there has been a global surge in fraud schemes designed to trick companies into sending wire transfers to bank accounts set up for this fraudulent purpose, often in another country.

6 crucial investigation steps 
When learning about a scheme of this type, an organization should work with a seasoned investigative team and follow the steps below to quickly identify and remediate the fraud.

1. Preserve and Plan
Early in an investigation it is critical to identify sources of potentially relevant data. Relevant sources often include computers, email messages and attachments, mobile devices, network files and logs, as well as various accounting records. Once the sources of information are identified, developing a preservation and analysis plan, including proper “chain of custody” procedures must be established. Make certain that evidence is properly preserved to maintain its integrity, and defensibility.

2. Interview
A fraudster’s strategy relies upon human error and employee fallibility. An investigative team must understand the level of employee participation, if any, in the scam. Interviews of company employees are often conducted to determine whether an employee was a witness, victim or should be the subject of an investigation. Background checks, or investigative due diligence are often conducted to determine if there are other factors that might influence decisions made by employees. An investigation should include a review of a company’s internal controls, especially those processes associated with executing wire transfers. Collaborating with counsel to address legal concerns involving employees, privilege issues or whistleblower matters is also prudent.

3. Analyze
Analyzing the following data points is key:
  • Wire transfer activity and related accounting records
  • Email messages and attachments
  • Network files
  • Mobile devices
  • Computers and hard drives
  • Phone records
  • Network logs and/or traffic
  • Internet research related to domain registration
  • Policies and procedures related to disbursements
An investigation should also rule out possible malware or other malicious software that may have resulted in an unauthorized intrusion.

4. Communicate
Communication with the relevant board members is essential, including regular updates about the investigative approach and findings. While employees may be stressed throughout the course of an investigation, board members will be keen on finding answers – particularly about the internal controls environment and understanding the security measures surrounding their funds.

5. Recover
How much effort is warranted to recover funds lost in a fraudulent wire transfer? Fraudsters have become adept at disguising ownership of email addresses (domains) and bank accounts, especially those residing in foreign jurisdictions. An organization should determine if insurance coverage, under fidelity bond or computer crime polices for this type of event may be a better option than recovery efforts. A report can also be filed with the Federal Bureau of Investigation to be considered among the growing number of reports filed each year by companies that are similarly defrauded.

6. Remediate and Prevent
In the scenario above, while there was no indication that the wire transfer fraud was perpetrated by insiders, several internal control deficiencies contributed to the financial loss sustained by the company. In order to prevent a recurrence, it is important to uncover what happened, determine who was involved, identify the potential for recovery and create a remediation plan to mitigate similar fraud events in the future. Successful remediation plans close gaps in the controls’ environment, employ monitoring tools to detect intrusion and include training and education programs.