What to Do After a Wire Fraud Incident: A Step-by-Step Guide

Written By Tom Kelly

The FBI’s Internet Crimes Complaint Center (IC3) received 77,918 wire fraud incident reports involving business email compromise (BEC) in the past decade.

In Business Email Compromise cybercriminals target participants in real estate transactions, including investors, buyers, sellers, real estate attorneys, title companies, and agents. 

They can also target other organizations that process large transactions like business brokers, investment bankers, wealth management, etc. 

Small businesses are a common target.

From the moment the funds are stolen, you have a maximum of 48 hours to recover them.

Here’s what Likely Happened to You:

  1. Criminals gain access to email accounts (email, CRM, etc), usually through phishing, social engineering, or compromised credentials.

  2. Criminals sometimes Engineer Persistent Access; backdoors, malware, malicious configurations, etc

  3. Criminals Sometimes Monitor the Email watching for transactions

  4. During the Transaction Closing Stage, criminals send Fraudulent Wire Transfer Instructions. There are multiple scenarios that could play out.

  5. Victim Transfers Funds to the Criminal's Account.

  6. Criminals Quickly Transfer the Funds to other Accounts and Exchange for other Currencies; escaping U.S Jurisdiction. 

According to the FBI Banks located in Hong Kong, China, Mexico, Singapore and Cryptocurrency Exchanges are major destinations. 

If you've fallen victim to wire fraud, it's crucial to take immediate action to increase the chances of recovering the funds and prepare for potential litigation.

Here’s what you need to do:

1. IMMEDIATELY Contact All Financial Institutions Involved:

If the funds are still in a U.S Bank or U.S dollar account they may be able to freeze the funds before criminals move them.

  • This is TIME SENSITIVE-URGENT

  • They may ask for a police report, and other verification methods before taking any action and/or sharing information; They may be reluctant to share any information.

2. IMMEDIATELY Contact Law Enforcement

Report the incident to FBI Internet Crimes Complaint Center and your local law enforcement. Make sure to document reporting; get a copy of the police and FBI IC3 report.Depending on the amount of funds stolen, law enforcement may be able to recover stolen funds.

3. Contact your Cyber Insurance Provider, if you have one.

They will provide a cybersecurity incident response (IR) vendor (like us), legal counsel, and other parties to help with cyber investigation and the remediation steps below.

4. Investigate:

This is for security remediation and potential litigation. Get Professional Help.

  • BE CAREFUL NOT TO OVERWRITE OR DELETE EVIDENCE

  • Whose account(s) were compromised? It could be your network, it could be another party’s.

  • What information did they access?

  • How did they contact the Victim? Used your email? Spoofed your email? Called via phone? Text?

  • How did criminals gain unauthorized access?

  • Did they engineer any backdoors or persistent access?

  • Check for malware

  • Check for malicious configurations

  • If Financial Institutions determine funds were transferred into crypto; we can help with blockchain forensics to determine where funds went.

5. Contain and Revoke Access.

  • Rotate passwords, credentials, etc.

  • Remove malware.

  • Delete Malicious configurations.

  • Remove persistence and backdoor mechanisms.

  • Inform parties of upcoming transactions of the risk, potentially change closing dates. If criminals accessed transaction information for multiple transactions, they will likely target those too, through social engineering.

6. Consult Legal Counsel.

This incident may be subject to data privacy laws. You may need to disclose. Depending on the circumstances litigation may result.

7. Documentation.

It may come in use for remediation and other purposes:

  • Activity logs on email system, CRM, computers, etc. This may provide the criminal’s IP addresses, email addresses, and other identifiers

  • Document Malicious configurations.

  • Maintain a detailed record of all correspondence and documentation related to the incident. This includes emails, text messages, and any other communication with the fraudster.

  • Document fraudulent communications

  • Take screenshots and photographs to capture evidence of fraudulent activity.

  • Consult legal counsel on the proper documentation.

8. Remediation

  • Remediate the security vulnerabilities that led to the incident and document it.

  • Monitor the environment; over Half of Cyber Crime Victims are Re-targeted in related Follow on Attacks.

  • Document the security measures you are taking.

We are Here to Help.

Cybersecurity Emergency Team

We are your Rapid Response Cybersecurity Incident Response Team

Arizona Based, Nationwide Reach.

Tom Kelly
Next

Cybersecurity Breach? Here’s What to do.