Be very wary of emails requesting transfers of funds from hacked accounts. We've recently seen two phishing scams that have resulted in fraudulent client fund transfers. While the amounts are typically not large (under $50,000), in both cases there were multiple transfers. The losses are different but the claims are essentially identical. Each of our insureds received an email requesting transfer of funds, and in both cases the email requested that monies be wire transferred from their accounts to a Wells Fargo account. These fraudulent emails included significant identifiable personal details and signatures on faked transfer forms. Signatures were verified against signatures from other valid transfers and determined to be authentic -- so they thought. In one case the bank asked for a phone number to verify the transfer as the transfer form was slightly hard to read (red flag). An email was sent to the hacked account requesting a cell number to verify the transfer. In an email response the sender asked if they could call the bank to verify, and this was allowed as the caller had the correct banking information, social security number and other personal identifying information details to convince the bank to move forward and transfer the funds. Both of our insureds' clients have been asked to be made whole, and we are in the process of determining the liability associated with each claim. With one of these claims, the bank clearly has some liability as it did not follow proper protocol and allowed a deviation of standards by accepting a “call in” as opposed to the “bank calling out.” (Side note: both of these clients are longstanding, very profitable accounts, and our insureds are trying to mitigate damages to maintain the relationship.) OK, now that you have read the claim summary what’s next? Your office needs to take steps to reduce your liability while protecting and safeguarding your clients’ bank accounts. Here are several steps that you should incorporate into your due diligence internal controls:
By incorporating these preventative measures, you could thwart criminal fraud and you are building your defense should the fraud occur. See www.naplia.com/cyber for more Information Security & Data Privacy Liability resources. And contact NAPLIA to discuss your information security liability today.
Stephen Vono Partner & COO SteveV@naplia.com | 508-656-1330