Over the last year, the Bankers Insurance Agency has seen three significant Wire Transfer Fraud claims. Each claim was more than $500,000.
Case #1
In the first case, the fraudster infiltrated the email of a large customer of the bank. He established himself as the “new CFO” of the customer via an email to the bank’s wire transfer department. He also advised the bank that they were installing a new phone system and he provided the bank with a “new” phone number on which to contact him. Several weeks went by before he contacted the bank again via email about wanting to initiate a wire transfer. The bank advised him that they needed a Wire Transfer Agreement to be signed by him. He told the bank to email it to him. He signed the Agreement and emailed it back to the bank. He then waited several more weeks before he initiated the wire. The bank did the right thing; they called him back to verify the wire. He confirmed that it was him. And the money was wired out. He did this a second time two days later. The total was $548,000.
You may think this should be covered by insurance. The bank had a Wire Transfer Agreement and they called back — both requirements of a Financial Institution Bond. But who was the agreement with? The fraudster, not the real customer.
Case #2
In the second case, a similar fraud took place. But in this case, the “customer” (fraudster) emailed the bank and advised they hired a new comptroller who will be performing wires for the company. The bank responded by emailing the form allowing this new comptroller authorization to perform wires. The “customer” made some notations in the margins … initialed a few things and then signed (forged) the customer’s name to the document. A day later, the new “comptroller” authorized over $500,000 of wires.
In this case, I used the term “forged,” which may indicate some coverage under the Financial Institution Bond. However, the term “Forgery” is well defined in the policy and typically relates to specific documents such as checks, securities, titles and the like. For example, years ago we had someone “forge” his bank and investment statements to obtain a loan. Those are not covered by the Forgery Endorsement. In this case, the document that was forged gave permission to a third party to initiate a wire.
Case #3
In the most recent third case, the email of the bank’s customer was again compromised and an email supposedly from the owner requested that a new signer be added to their account. A new signature authorization form was emailed to the “Customer” who signed the document allowing a new “fictitious” family member to have access to their accounts. The new family member then requested wires, which the bank provided. Close to $600,000 was wired. However, the bank was able to recover more than $400,000 after the mistake was discovered.
Is the bank covered?
The underlying factor in each of these cases is that the entire loss was performed via email. At no time did the bank pick up the phone and CALL THE CUSTOMER to verify these transactions. And to be clear, the call must be made to the ORIGINAL phone number and CUSTOMER that was provided when the account was established. Unfortunately, the bank was calling the fraudster to verify the transaction.
Customers ask if these losses would be covered by their Cyber Liability Policies. The answer is typically no. Most Cyber Policies issued to banks specifically exclude these losses since they’re supposed to be covered by the Bond.
One more scheme
Lastly, another common scheme is where the customer has his/her email compromised. The fraudsters monitor it and when they see the customer is on vacation, they email their CFO or trusted employee who has wire transfer authorization. The fraudster (using an email close to the customer’s real email) instructs the employee to wire money to a third party. Without calling the boss back, the employee initiates the wire. The bank calls the employee back to verify and the employee affirms it was their wire. When the customer returns from vacation, they realize that the money is gone.
In short, be sure you’re calling your customer. Use phone numbers that were provided when the account was established. If you’re unsure, look the number up and call that number. Don’t allow phone numbers to be changed on the fly. If money is leaving your bank, stop, ask questions and ask them again.
Brien O’Connor has more than 35 years experience in bank insurance. He joined TBA in 1989 to start the Bankers Insurance Agency and has expanded it to other states all while keeping up with the latest insurance technology. Brien speaks often at banks, TBA events and board meetings.