In this podcast, Harris Freier (shareholder, Morristown) and Lauren Watson (associate, Raleigh) discuss the growing issue of misdirected wire transfers tied to data breaches. Lauren and Harris begin by addressing social engineering and phishing, and how these types of business email compromise scams by cybercriminals occur. The speakers also review the importance of having an incident response plan, the legal obligations for breach notifications, and strategies for recovering misdirected funds, emphasizing the need for swift action and thorough verification processes to prevent future incidents.
Transcript
Announcer: Welcome to the Ogletree Deakins podcast, where we provide listeners with brief discussions about important workplace legal issues. Our podcasts are for informational purposes only and should not be construed as legal advice. You can subscribe through your favorite podcast service. Please consider rating this podcast so we can get your feedback and improve our programs. Please enjoy the podcast.
Lauren Watson: Hi, I'm Lauren Watson. I'm an attorney in the Raleigh office of Ogletree Deakins and a member of the firm's Cybersecurity and Privacy Practice Group. I'm joined by my colleague, Harris Freier, who is a shareholder in the Morristown, New Jersey, office. Today, we're going to talk about a scary but increasingly common issue: misdirected wire transfers tied to data breaches. So, Harris, a company experiences a data breach. Shortly after, one of their vendors or even the company themselves sends a large wire transfer to what they later learn is a fraudulent account. How does this usually happen?
Harris Freier: Thanks, Lauren. This usually happens based on
what's called "business email compromise scams," and
what happens is it's usually what's called social
engineering or phishing, and cyber criminals will send an email
message that appears to come from a known source, making a
legitimate request. The messages are usually convincing and are
difficult, if not impossible, to discern from the real thing. For
instance, in a wire fraud example, if we're talking about a
real estate company that needs to pay money for the closing of a
property, if their email system's been compromised, they would
get what looks like an authentic email from someone with whom
they've been doing business. Now, the email itself, if one
looks closely enough, it's actually not the right email
address, but it often just has one or two letters off, and the
actual email will be requesting something that is in line with the
transaction.
So, if there was supposed to be a million-dollar wire transfer to a
Bank of America account on a certain date for a certain property,
everything in the email will be the same. The correct property will
be listed, and the correct contact information for everyone will be
listed. The correct dollar amount will be listed. And what normally
happens in these cases is that it is the bank account that is
different, and a different account number. But normally the issue
is that you have these professionals do so many of these
transactions that they know what property they're buying, they
know the date, they know the dollar amount, they know who
they're dealing with, but they're not normally focusing on
or memorizing advance what they're supposed to be wiring the
money to. So, if it looks like it's a legitimate bank,
they're wiring the money even though it turns out that this has
been a fraudulent account set up.
Lauren Watson: And I think that's one of the things that
makes this so difficult to catch, right? When you're dealing
with a phishing scam, what, to your earlier point, so often happens
is there is an email that looks like a perfectly legitimate email.
It may even, at first glance, look like it's coming from one of
your vendors or some other organization that you work with very
regularly. But if you look really, really closely, it will be one
letter or number off. Instead of an I, they'll have a lowercase
L so that at first glance, you're really not going to catch it.
I'd say another situation where we're seeing this type of
tricky email issue come up a lot is with fraudulent
employees.
More and more I think clients are receiving what looked to be
completely legitimate applications, but they're coming from
individuals who maybe have an email address that looks kind of like
you might expect to see with a phishing scam where someone is using
part of the last name and then a nickname for the first name and
then a series of numbers or letters. But as you look into it a
little bit further, it becomes quite clear that this isn't
really legitimate. So, we're seeing this more and more, and I
think that's one of the things that's very important for
businesses to look for. Don't just take for granted that you
have received a communication from someone that you can trust. You
kind of have to question everything.
Harris Freier: Yeah, and I think one thing people don't realize is that the phishing email is only one part of the scam and the fraud, while you still sometimes have the instance where your employee gives out their password because they think it's legitimate request and suddenly their email is frozen and they're getting these messages that they have to pay Bitcoin to unfreeze, a lot of these fraudsters are much more sophisticated these days. So, once they get access, they're doing something far more devious and time-consuming, which is how the wire frauds that we work on where large amounts of money are transferred, this process can take months by the fraudsters to, once they've infiltrated the emails, they're then going through every single email relevant so that they can try to mimic the transaction as best as possible. So oftentimes, the business does not even really know when, in fact, they were first infiltrated. They don't know it until the adverse action takes place, and the adverse action can actually take place months later.
Lauren Watson: And that's so difficult. And when they do find out, ideally, they've got an incident response plan in place that they're able to turn to and to execute against, something that'll tell them, this is who you call when you suspect that this has happened. This is who your first point of contact convenes for, sort of, an incident response team. And these are the specific roles that each person on that team is going to play, whether it's legal is going to perform an initial assessment and loop in outside counsel, whether it's your HR department is going to handle some communications with your employees. Ideally, you've got that in place. But Harris, I understand that there are also some responsibilities that the company has once they discover that there may have been a misdirected wire transfer associated with the data incident, and maybe even some opportunities for them to claw back that money that may have been improperly directed. Can you tell me a little bit more about that?
Harris Freier: Sure. Well, in any breach, if personally
identifiable information is disclosed, the business, depending on
the state or country at issue, usually has a duty to notify victims
that their information has been compromised. So, each state has
different criteria. There's no federal law in the US as to what
constitutes a data breach, generally. There are some specific
industries that regulations, such as healthcare and banking, but
there's not something general that applies to all businesses.
But every state has their own rules and regulations, and normally,
things like social security numbers, driver's license ID
numbers, and certain financial information, if any of that is
disclosed of a customer or an employee, then the business has a
duty to notify those involved. And depending on the state, they may
have to offer certain credit reporting services, and they may have
to report to the state agency in question. So, that's all in
terms of breach notifications that they're required to
do.
We also work a lot, though, in terms of not just the breach
notifications, but in terms of actually trying to get the money
back. And oftentimes, you have to act as quickly as possible
because once the money leaves the United States, it's normally
impossible to ever get back. So, there's certain steps that
really should be taken. The very first step is to have the
business's bank do a stop payment and a reversal request on any
funds that were wired to the wrong account. So that's the very
first thing that has to be done. After that, there are a series of
steps that can be done to try to get the money back because
oftentimes by the time the business realizes that they have wired
to the wrong account, the money is no longer in the wrong account
that it's been wired to.
Lauren Watson: And is there a way to trace that money, once it leaves the account, I mean?
Harris Freier: Yeah, there is. Normally what we do is we file
lawsuits against fictitious parties and in every state in the U.S.
and in the federal or government federal lawsuits as well, you can
file complaints against anonymous parties. So, they're called
John Doe or Jane Doe lawsuits. And the reason it's anonymous is
the company almost never knows who the cyber criminals are, so
there's no identifiable person to sue. Once you file against
the fictitious parties, you then have the right in any state or
federal court to send out subpoenas. And what you do is you
subpoena the banks where the money went to. The first, where the
money actually went to the wrong account, you would normally
subpoena that bank to get records.
From that bank, the money normally goes to five or six other banks,
so you just have to keep going down the line to try to trace where
the money has gone. But due to privacy and legal obligations, the
banks themselves will not simply provide that information absent
some type of legal process, such as a subpoena. So, it really does
require bringing these fictitious lawsuits and subpoenaing the
banks to try to see where the money went.
Lauren Watson: Got you. That makes a lot of sense. Frankly, it sounds like what I think we all know, that once this does happen, it's very complex trying to sort of unwind the issue once the money has gone out. Are there some things that you'd recommend that businesses do in terms of preventative measures to protect themselves from future issues and future liability relating to these misdirected wire transfers? I mean, we've already talked about carefully evaluating the emails that you received from vendors and other parties to make sure that they are actually coming from who you think they're coming from. But what else do you recommend people do?
Harris Freier: Well, certainly, and this happens much more with
businesses, especially with very large wire transfers. Consumers,
for the most part, if you're working with a reputable real
estate broker, consumers normally are more protected than they used
to in terms of wire transfers, but there really aren't that
many protections for require protections for businesses. So, the
business really, if they're wiring money, you have to actually
call the person who you're wiring money to and authenticate the
account where you're supposed to wire it to. And you never want
to rely on the contact information in an email that says who the
email's from and who to call if there are issues. Because if
it's a fraudulent email, that phone number and email are the
fraudster's email and phone number. So, you want to just do a
search for the closing agent in question or whoever you're
supposed to be sending money to verify and get an independent phone
number and an independent email.
And from there, double-check before you send any money to where
it's supposed to actually go. I think that there
is...businesses also should be training their employees on how to
avoid these phishing attempts, and not to click on unsolicited
emails, and always scrutinize the actual email address and the URL,
and any emails. I think most of us get lots of scam text messages
these days requesting money. And if you look at them, you can tell
it's from a fraudulent number or email if you look closely
enough. But many times, especially very large organizations have
thousands and thousands of employees, and all it takes is one of
them to give out their Microsoft Outlook password for the whole
email system to become compromised.
Lauren Watson: And I think that's a really important point. And I think additionally, there are some things that people can do in terms of making it harder for the bad guys to get into their email systems, making sure that things are properly encrypted when they're being transmitted and when they're being stored. That can go a long way as can implementing multifactor authentication, that's not the silver bullet that we thought it was a few years back, but MFA is, I think at this point, it's frankly industry standard and businesses that do not have MFA in place really across their systems need to be strongly considering their options for getting that implemented. Now, I understand that there are also some sort of dual approval protocols for wire transfers. Do you recommend that clients take additional approval protocol steps beyond just verifying wiring instructions?
Harris Freier: Yeah, I think especially anyone wiring large amounts of money should really take as many additional protocols as possible. And the law in terms of banks has lately been going the way that a bank's legal obligation is somewhat limited if the bank correctly sends the wire to the account you direct it to. So, one of the...there's been litigation over what's the bank's responsibility, and I'd say the case law overall says responsibility is to wire the money to the correct number, correct, meaning who the customer says to wire it to not correct as in where it's really supposed to go to. So that really puts the onus on the company that they're the ones who have to have the correct wire number, not the bank. So, as many additional steps as possible to make sure they don't wire to the wrong account number are best. And once you wire, it's unlike a check; it's going to be very difficult to ever get that money back. So, you have to be very careful on the front end.
Lauren Watson: Makes a lot of sense to me. I mean, it sounds like really investing in your training and making sure you have secure processes and a good response plan's really going to be worth every dollar.
Harris Freier: Yeah.
Lauren Watson: I think that just about wraps up our conversation here today. I want to say thank you again for joining me, and I want to invite all of our listeners to stay tuned because I think we probably have some future conversations on this topic.
Harris Freier: All right. Thanks for having me, and nice speaking with you.
Announcer: Thank you for joining us on the Ogletree Deakins podcast. You can subscribe to our podcast on Apple Podcasts or through your favorite podcast service. Please consider rating and reviewing so that we may continue to provide the content that covers your needs. And remember, the information in this podcast is for informational purposes only and is not to be construed as legal advice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
