A $1 Million Wire Fraud Deception: One Client’s Experience and What to Know

Wire transfers are a common way to send money safely. Unfortunately, as criminals become more sophisticated in their methods, wires are also a common target for scammers. Therefore, it’s essential for companies to stay alert and take preventative steps to outsmart criminals.

A common type of fraud is committed by “impersonators” who steal money through electronic communications like emails. Impersonators replicate legitimate email communications, sometimes taking advantage of the trust in an established business relationship.

Understanding the nuances of business email compromise (BEC) and staying aware can help prevent fraud. One client’s experience illustrates wire fraud’s impact and shares prevention tips. This real-life story examines a sophisticated wire fraud incident targeting a homeowners association, where a routine insurance premium payment became costly. By using an email spoofing technique and taking advantage of the community manager’s absence, fraudsters successfully diverted funds through multiple wire transfers.

Getting Spoofed: A Real-Life Story

One homeowners association regularly paid its $1 million annual insurance premium by check. A representative from the insurance company typically picked up the check in person.

Then, one year, the association’s accounts payable director received a request from what they thought was their colleague, the community association manager, to pay the premium via wire. The two discussed it via email, verified the amount and arranged payment.

Due to the size of the transaction and limitations on wire payment amounts, the payment had to be split into three wire transactions. The first two payments had been verified and sent, and the third was in the works when something shocking happened: The insurance company representative arrived to pick up the check.

The real recipient from the insurance company had never contacted the community management company about a change of process. Only then did the management company realize it had been duped.

How It Happened

The community association management company’s accounts payable department believed it was communicating with another member within their organization — this particular association’s community manager. But it was deceived by a fraudulent email address that differed by a single “s” and a slight misspelling.

Timing was everything: This subtle change went unnoticed because the genuine community manager was out of the office. At the same time, the criminal had presumably gained access to the community manager’s email account. The fraudulent email directed the wire transfers under the false pretense of updating payment information for the community association’s real insurer.

Taking Action

Upon discovering the deception, the community management company picked up the phone to report the fraud to the bank. The relationship officer immediately helped guide their team through the complex process of assessing recovery options and attempting to recoup any losses.

Working with the client, the relationship officer urgently traced the funds, contacted the receiving bank and initiated a freeze. Throughout the investigation, the relationship officer assisted with police reports and FBI involvement.

Wire fraud is like handing over cash to a criminal, which makes it difficult to recover. In this case, less than 20% of the $1 million-plus loss has been successfully recovered to date.

Preventing Wire Fraud

This incident highlights the critical need for internal controls and verification processes. Here are a few practices we recommend implementing within your organization to help prevent this type of wire fraud:

• Slow down and be a detective: Take time to carefully review emails and question everything, especially requested changes to payment terms or methods. Scrutinize names, email addresses, website URLs and phone numbers to verify they match the information on file.  
• Include verbal confirmation in policies and procedures: Require a phone call to confirm requested changes. Call your colleague directly, or if working with a vendor, call the number you have on file  — not the number included in the email, which may connect you to the fraudster.
• Add “External Email” alerts: Organizations can add a bold, unmissable “external email” alert to incoming messages. Email users should not ignore these notifications. In this case, the AP team may have overlooked the warning. When in doubt, call to confirm.  
• Regularly update systems: Consistently refresh security patches and conduct employee fraud prevention training. Regularly review procedures — at least once per year — to confirm employees are aware of all practices.

Connecting With a Trusted Banker

Banking experts who know the community association industry can help you create a fraud prevention plan and navigate the complex recovery process when you need it. Alliance Association Bank works with the rapidly growing community association industry to provide tailored solutions, including fraud prevention.

For additional strategies to mitigate fraud risk, including free virtual training for you and your employees, please reach out to our dedicated banking team.