The Financial Fraud Kill Chain: Combatting Fraudulent Money Transfers
By: Lewis Brisbois' Data Privacy & Cybersecurity Team
Businesses are constantly targeted by criminals attempting to gain access to information that will allow them to fraudulently divert wire transfers. This often occurs after the criminal has conducted sufficient reconnaissance to determine who likely has an occupational role to approve or initiate wire transfers. The employee will then be targeted – often a financial executive like a Chief Financial Officer – and their email account will be compromised. Once inside the email account, the criminal will change “rules” so that incoming messages with terms like “wire,” “transfer,” “bank,” “account,” etc. are immediately routed to a fraudulent email account, and deleted from the legitimate email account.
The criminal will then take over communications with customers or vendors who are in the process of initiating wire transfers to the business. The imposter will pose as the legitimate account holder, and issue new wire transfer instructions – often blaming the change on previous fraud on the account. The customer or vender then abides by the new wire transfer instructions, and initiates a wire transfer that is transmitted to the fraudulent account. This exploit has become a multi-billion dollar criminal business model.
What you can do to protect yourself
Although billions of dollars have been lost to criminals in the past few years through fraudulent money transfers, that trend does not have to continue. If businesses are able to detect a fraudulent money transfer within 72 hours of the initial transmission, the Financial Fraud Kill Chain (FFKC) can be initiated in an attempt to stop the transfer. Although the funds are not always recoverable, even if the kill chain is initiated within the 72 hour window, it is far more likely to occur than if an attempt is made outside that window.
The FFKC utilizes a relationship between the FBI, the Financial Crimes Enforcement Network (FinCEN), and the Egmont Group, to help stop the fraudulent international transfer of funds by criminals. The FFKC is intended to be utilized as a means for U.S. financial institutions to obtain the return of victim funds. The FFKC can be used if the fraudulent wire transfer meets all of the following:
- The wire transfer is $50,000 or more;
- The wire transfer is international;
- A SWIFT recall notice has been initiated; and
- The wire transfer occurred within the last 72 hours.
If the wire transfer does not meet the above criteria, it should still be reported to the FBI as soon as it is detected. The FBI may be able to aggregate details of the matter with other investigations to recover the funds and/or hold malicious actors accountable.
How to get the FFKC process started
To initiate the FFKC process, upon detection of a fraudulent money transfer, a complaint with the Internet Crime Complaint Center (IC3) should be filed immediately, which can be done online here: https://complaint.ic3.gov/default.aspx.
If possible, the following information should be provided in the complaint:
- Victim business name and address;
- Transaction type (i.e. wire transfer), amount and date;
- Victim bank (i.e. originating bank) name and address;
- Victim bank account and routing number;
- Recipient bank (i.e. beneficiary bank) name and address;
- Recipient bank name and address;
- Recipient bank account and routing number;
- Recipient bank SWIFT number; and
- Summary of the incident.
The more information that is provided about the incident, the more effectively the FBI can respond. As soon as the report is filed with IC3, an FBI agent in the geographic jurisdiction of the victim bank should be contacted and provided with the IC3 report and any other relevant details. You can find a map of FBI field offices here: https://www.fbi.gov/contact-us/field-offices.
The FBI can then interact with the victim bank to ensure everything is done to recover the funds. The Lewis Brisbois Rapid Response Team can help to facilitate this response.
Click the ‘Subscribe for More Updates’ button at the top-right of this page to receive alerts when new Digital Insights posts go up.