On March 10, 2023, the US Federal Deposit Insurance Corporation took control of the assets of Silicon Valley Bank (SVB). In light of SVB's closure, many venture firms and emerging companies are establishing new accounts with other banks, and they are sending and receiving updates to the details of their wire transfers so they can continue to make and receive payments. This is legitimate and necessary, but many companies are targeted for fraud when engaged in this process, and it is important for companies to remain vigilant throughout.
Most businesses that regularly send and receive funds electronically have already heard about the risk of wire fraud scams in which an intruder changes wiring instructions and diverts funds to its own account. But detecting and preventing these scams — and effectively managing the situation when a scam does occur — has proven challenging.
The SVB crisis potentially creates prime opportunities for bad actors to redirect wire transfers. Many venture firms and emerging companies that are engaged in this process will receive multiple changes to wire transfer instructions in a short amount of time — and they may feel pressure to process the changes quickly, potentially taking shortcuts in their due diligence processes. Because of the rapid pace and volume of changes, venture firms and emerging companies may not be as alert as usual, making them more susceptible to fraud.
How Wire Fraud Schemes Work
In order to change wiring instructions, a bad actor first must obtain access to the communications that contain the instructions. Those instructions are most commonly sent by email — and, unsurprisingly, email is one of the easiest entry points for attackers. The more individuals there are on an email thread, the greater the likelihood that one of them will be compromised unknowingly. And one is all it takes.
Once the bad actor has access to a target's email, the attacker learns the details of the wire transaction and masters the tone and style of the party's written communications. The attacker then takes over or “spoofs” certain email addresses, interposing itself in the email traffic, often starting with innocuous communications to build trust. Ultimately, the attacker will go for the kill, announcing a change in fund transfer details, often claiming that the change is needed due to a bank “audit” or offering a similar justification.
If the attacker's deception is undetected, the payment will transfer to the attacker's account instead of the intended recipient. And unless the transfer is caught and reversed within 24 hours, it can be very difficult, if not impossible, to claw the funds back, potentially resulting in a significant financial loss. There is often a dispute as to who bears financial responsibility for the loss, and the dispute in and of itself creates added fees and distraction.
Best Practices for Resisting Scams
No single security measure can thwart all wire fraud attacks, but there are basic steps organizations can take to significantly minimize the likelihood that they will be targeted successfully. Venture firms and emerging companies should consider multiple safeguards, such as:
- Maintaining robust payment authorization procedures that require thorough reviews of wire transfers, particularly those above a certain amount, to limit the chance that it will make a payment to a fraudulent account. These procedures can include: (1) requiring multiple approvals, (2) verbally verifying the authenticity of each non-routine wire transfer request with a known contact, (3) using a previously used phone number to verify any changes (instead of using the number on the transfer request), and (4) being on high alert for any change in protocol.
- Requiring dual approvals for online (or electronic) payments and ensuring that whoever approves a payment is not the same person who initiates the payment.
- Inserting an “EXTERNAL” label in all emails from external sources, which can remind employees to exercise caution and help them identify a purported internal email coming from a spoofed email address.
- Developing a checklist of potential “red flag” behavior that requires extra due diligence, such as wires to new recipients, destination accounts in countries in which the intended recipient does not do business, or any other change in normal protocol.
- Implementing multi-factor authentication for email, which can help prevent many, although not all, phishing attacks.
- Educating and testing employees on identifying and reporting phishing attempts, taking appropriate fraud prevention steps, and maintaining general email security hygiene (such as checking email domains and not following links, opening documents, providing credentials, or sending payments without verifying the source).
- Obtaining cyber insurance that includes coverage for misdirected funds transfers, which, if all else fails, can help defray the cost of an incident.
- Establishing a written information security policy and reviewing it often.
Venture firms and emerging companies also should be prepared to respond in the event of a successful wire fraud attack. Upon discovery, they should act immediately to:
- Change account passwords and numbers for all employees on the affected email chain — and, if not overly burdensome, everyone at the entire company.
- Check relevant email accounts for any auto-forwarding rules, which attackers may create and which remain running even after passwords are reset.
- Contact outside counsel to determine appropriate steps to investigate and contain the incident, including retaining a forensic consultant.
- Contact the local FBI office to report the fraud and to gain assistance recovering the funds. While recovery can be challenging if funds have already been transferred out of the country, agencies such as the FBI do try to help.
- File a complaint with the Internet Crime Complaint Center (IC3) to investigate the incident.
- Contact the financial institution(s) involved to stop additional fraudulent transactions and to try to recoup any stolen funds.
- Contact the company's insurance provider to recover the loss.
- If any accounts have been compromised, work to determine the full scope of information that was affected, such as personal information for which there could be a breach notification obligation.
To report an incident, please refer to the following pages:
US government agencies offer additional information on measures businesses can take to protect themselves, including:
- FBI guidance on spoofing and phishing
- FBI guidance on business email compromise
- US Department of Justice Cybersecurity Unit's Best Practices for Victim Response and Reporting of Cyber Incidents
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.