How Wire Fraud Starts

Criminals begin the wire fraud process way before the attempted theft occurs. Most often, they begin with a common social engineering technique called phishing. This can take the form of email messages, website forms or phone calls to fraudulently obtain private information. Through seemingly innocuous communication, criminals trick users into inputting their information or clicking a link that allows hackers to steal login and password information.

Phishing emails might appear to come from a legitimate business or recognized user. Spear phishing is a more targeted email attack sent to a select number of users, while a whaling attack, also known as Business Email Compromise (BEC), is a more targeted variation of spear phishing aimed at high-profile executives or personnel who manage wire transfers. According to the latest Association for Financial Professionals’ Payments Fraud and Control Survey, a majority of finance professionals (64 percent) reports that their organizations were exposed to BEC in 2015. The FBI’s Internet Crime Complaint Center reports that “the BEC scam continues to grow, evolve and target businesses of all sizes.” Since January 2015, there has been a 1,300 percent increase in identified losses, now totaling over $3 billion.

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on email alone.

Martin Licciardo, a special agent in the FBI’s Washington Field Office, said the best way to avoid getting ripped off is to verify the authenticity of requests by speaking to people directly.

“The ability of these criminal groups to compromise legitimate business e-mail accounts is staggering,” he said. “They are experts at deception.”

It is disconcerting that, in spite of safeguards being implemented, criminals are still making headway with BEC scams. The significant increase in wire fraud also suggests that BEC fraud may be more difficult to prevent than was previously believed.

Once hackers gain access to an email account, they will monitor messages to find someone in the process of buying a home. Hacks can come from various parties involved in a transaction, including real estate agents, title companies, attorneys or consumers. Criminals then use the stolen information to email fraudulent wire transfer instructions dressed up to appear as if they came from the victim. To this end, criminals will use either the victim’s actual email account (which they may actually control) or create a fake email account resembling the victim’s email.

“We all want to avoid the scenario where the buyer’s funds are sent to a fake account and are unrecoverable,” said Bill Burding, a member of ALTA’s Information Security Committee and general counsel for Orange Coast Title Co. “One of the key indications of any wire fraud scam is the sense of urgency. These tend to come from someone of authority to the person who is responsible for wiring funds within the organization. This is when it’s imperative to slow down and make sure policies for handling wire instructions are followed to a T.”

Over the past few years, there’s been a lot of discussion and training over the past few years about preventing outbound wires from being intercepted. According to Christopher Hacker, chief product officer at ShortTrack, criminals are now targeting the “inbound wire” of cash to close sent by the buyer.

“Unfortunately, again and again, we hear leaders of title agencies say they’re handling all of the wire diversion and fraud issues with the controls for outbound wires,” Hacker said. “The bad actor sits and waits for the wire instructions to show up in the buyer’s inbox, downloads them, deletes the message with the accurate document and resends updated wire instructions either from a spoofed account of the title company or from the compromised account of the real estate agent.”

Wire Fraud Red Flags

Title and settlement companies can protect themselves by increasing staff awareness of these scams. According to the FBI, businesses that deploy robust internal prevention techniques at all levels (especially training front-line employees who may be targeted by initial phishing attempts), have proven highly successful in recognizing and deflecting email scam attempts. Some financial institutions reported holding their customer requests for international wire transfers for an additional period of time, to verify the legitimacy of those requests. Here are some red flags:

  • A customer’s seemingly legitimate emailed transaction instructions contain different language, timing, and amounts than previously verified and authentic transaction instructions.
  • Transaction instructions originate from an email account closely resembling a known customer’s email account; however, the email address has been slightly altered by adding, changing, or deleting one or more characters. For example:
    • Legitimate email address:
    • Fraudulent email addresses: or
  • Emailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
  • Emailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions. Emailed transaction instructions direct payment to a beneficiary with which the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
  • Emailed transaction instructions include markings, assertions, or language designating the transaction request as “Urgent,” “Secret,” or “Confidential.” Emailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction.
  • Emailed transaction instructions originate from a customer’s employee who is a newly authorized person on the account or is an authorized person who has not previously sent wire transfer instructions.
  • A customer’s employee or representative emails a financial institution transaction instructions on behalf of the customer that are based exclusively on email communications originating from executives, attorneys or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys or designees.
  • A customer emails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning that a fraudulent payment was successful.
  • A wire transfer is received for credit into an account, however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor, while thinking the new account belongs to the known supplier/vendor. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of email-compromise fraud.

ALTA’s Title Insurance and Settlement Company Best Practices details policies and procedures title and settlement companies should follow to protect money and non-public personal information (NPI).

Gregory McDonald, chief executive officer of Cloudstar Corp., said educating all parties involved in the transaction is vital, and keeping wiring instructions on paper is the best solution.

“Title companies should talk to their customers after a deal comes in, and during the process, and let them know that nobody will email changes to wiring instructions,” McDonald said. “This is a human problem that cannot be resolved by technology. No fancy lock—no matter how high tech—will stop a thief that identifies themselves as a police officer when knocking on your front door.”

Companies should use fraudulent emails as a reminder to update security practices and as a staff training opportunity. Criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims, which makes constant awareness and education a necessity.

“Data security isn’t just a one-and-done checklist as threats are ever-evolving, so defenses need to be nimble,” said Jack Rattikin III, president and chief executive officer of Texas-based Rattikin Title Company. “My company has yet to lose any money due to wire fraud—knock on wood—but we receive these wire fraud attempts several times a month. Make sure your employees ask questions. There are no stupid questions when it involves money.”