Email request to wire funds and wire fraud
As part of Markel Cambridge’s value proposition to our community of brokers and policyholders, we periodically share knowledge that we hope, if utilized, will mitigate risk. These types of risks could do reputational and financial harm not only to your Firm, but the clients you serve. This particular risk management topic is about safeguarding clients’ records and information [See Exhibit I]. More specifically, it is related to recent attempts by hackers and thieves to deceive a Firm into believing that an email request to wire money is legitimate.
Earlier this year, we sent out a risk alert reminder to all of our policyholders and brokers showing real life examples of wire fraud scams. Since then, we’ve discovered a few more tricks that the hackers are using as well as some development in how custodians are responding. Some reputable custodians are now modifying contracts to make clear their responsibility when it comes to following your Firm’s request to wire funds from your clients account to another. The custodians are actually putting the financial responsibility back on you. [See Exhibit II].
Schwab has recently sent a video directly to the advisory community pleading for more diligence when it comes to accepting a wire request. Markel Cambridge Alliance would like to reiterate that message and remind our advisory community of their role and power when it comes to approving wire requests. We’ve recently begun asking our policyholders their procedures, and most responses have been very encouraging, however, some were not. One response stated that they do not have any procedures because they tell the custodian to wire the money. Yes, that is true, but the custodian is relying on you as the fiduciary representative of the client to instruct them.
Technology has made it possible for anyone with an Android or iPhone to make a phone call in which the caller ID will register a different name than the actual caller. In theory, you can download an application to your phone so when you call your spouse, it may pop up as a phone call from Barack Obama or George Bush (politically neutral).
Once hackers gain access to your customers email account, and other private and personal information, they can increase the likelihood of you believing the scam. They will first send an email requesting money to be wired from their account to another account. You may feel this is suspicious so you write back and encourage them to call you. When they call back, the number that pops up may have been manipulated in order to deceive you into believe it is your customer.We suggest the following:
- Pick-up the phone: Never approve the release of funds without verbal communication with your client.
- Improve Firm culture: Have a Firm procedure and culture to call-back and confirm all requests from the phone number in the internal file. DO NOT use the phone number provided in the email and be suspicious of requests to a new account especially in a foreign jurisdiction.
- Passwords: Consider implementing procedures similar to your personal bank. Whenever you call in for a business transaction, they ask you a series of questions to confirm your identity.
- Best of all: Have your client call the custodian directly to request a wire transfer. Custodians are beefing up their internal procedures to combat this current threat and may have more resources to throw at this issue then most Firms.
- CCO: When in doubt have the Firm’s CCO make the final recommendation.