In the event of wire fraud in financial services, who is actually liable?
We’re not talking about sending $20 to the wrong PayPal person for last Friday’s pizza – these transactions are in the millions.
If you work in the private capital markets, finding out that funds were mistakenly wired to the wrong hands is your worst nightmare – and understandably so. We’re not talking about sending $20 to the wrong PayPal person for last Friday’s pizza – these transactions are in the millions and are only increasing. In fact, financial transactions in the private capital markets have been steadily increasing in both size and frequency, making it the ideal target for impersonation fraud.
But in the unfortunate event of fraud, who is to blame? That question is far more complicated to answer.
Despite society’s massive strides in technology, email surprisingly still prevails when it comes to financial communications, including the sharing of account numbers and routing numbers. Through this lens, it’s easy to understand why wire transfer fraud has become so prominent in recent years.
While ransomware and data breaches command the headlines, impersonation remains one of the most prolific forms of fraud. In the U.S., cybercriminals have stolen billions of dollars from participants in M&A and real estate transactions, customers of financial institutions, investors, law firms, and other high-value targets. In fact, the FBI noted in their most recent Internet Crime Report that impersonator fraud has become the costliest type of cyber-attack, with more than 19,000 complaints last year claiming a total adjusted loss of approximately $1.8 Billion.
Listening to our clients’ stories, you can understand how easily even trained professionals can get taken advantage of. One client shared a story in which they had been on vacation for several weeks, and unbeknownst to them, a fraudster had gained access to their email account. The fraudster remained hidden and observed emails for a long period of time, studying the client’s way of communicating with colleagues and clients. When on holiday, the fraudster sprang into action, impersonating the client (who was in a senior position) and advising his subordinate to complete a transaction for him while he was out.
The impersonator had studied the client’s communication so well, there was no doubt in the mind of the subordinate that it was his boss. Before completing the transaction, the client’s bank noticed something fishy and called to verify the transfer, at which point the fraud was detected and averted – saving the client hundreds of thousands of dollars in potential losses.
This client was extremely lucky. They had a close relationship with their bank and the bank proactively flagged a concern – yet it is not the bank’s responsibility to verify these transactions. What’s worse is that tracking the hacker is nearly impossible. Once the wire is complete, the scammer disappears with the money, leaving the payee and payor short-handed. Additionally, this window of time for a wire transfer to be reversed is very limited – under 72 hours in most cases.
If a GP has been compromised and an LP transfers them funds, the LP sees it as something out of their hands. Conversely, if the LP becomes compromised, the GP is still awaiting the funds they were relying on to carry out their investments.
What many in the private capital markets may be surprised to find out, is that there is very limited protection for this kind of fraud, and only a very few insurers exist that cover this steadily increasing level of cyber-fraud. To date, ‘protection’ for this type of fraud has relied on best practices, which means training and trusting employees to protect themselves. Yet this is not the strongest form of protection. Despite their best intentions, humans make errors, and can be deceived. Which is why impersonator fraud is the number one risk to transactions in the private capital markets. It’s enough to make many long for the days of snail mail and the good old fax machine – when wire fraud posed a significantly smaller threat.
Yet the solution is simpler than you might think.
While best practices are important, they cannot be relied upon as the sole form of defense. Technology exists to help private equity firms, law firms, investment banks, and real estate professionals minimize the risk of losing significant amounts of capital through wire fraud. The best way to protect against this type of fraud is to remove the responsibility from the human altogether and require easily available and indisputable digital credentials to complete a transaction.
When it comes to making a transaction, we all have a face, a government issued ID, and a mobile phone number. While a fraudster may gain access to one, the likelihood of stealing your facial identity is incredibly low. This multi-factor biometric-led approach ensures participants in a transaction are in fact who they say they are and significantly prevents the threat of wire fraud. In addition, it’s more convenient than the time-consuming call back verification process and leaves a clear audit trail that the verification has been done.
Preventing wire fraud should not require learning new systems or changing workflows. Multi-factor authentication and biometric verification can be integrated into existing systems so that financial firms can quickly and easily implement security measures without having to change their workflow. When all parties involved in a financial transaction can verify their identity with facial recognition, government-issued IDs, mobile phones, and other forms of biometric verification, it eliminates the potential for cybercriminals to access routing instructions.
Perhaps surprisingly – these security checks are actually easier for users than the status quo of complicated and often weak passwords. If all participants in the private markets could adopt these simple measures, we might just have a chance of making wire fraud a thing of the past.
Brian Twibell is co-founder and CEO of WireSecure.