"Fraudulent Wire Transfers: The Russian Connection"
William G. ComptonIn recent months, a number of business entities have reported fraudulent multimillion dollar wire transfers made from their commercial accounts at various banking institutions. According to the law enforcement authorities, these fraudulent transfers were initiated by “criminal gangs” located in Russia and Eastern Europe. Recovery in these cases is problematic.
While all the details are not yet known, a common element in the fraudulent scheme seems to be that the computer systems of the victims were “hacked” by use of a sophisticated scanner which searches for “open ports” in the user’s security screens. The hacker then penetrates the “port,” copies the victim’s security protocol, and sends a wire transfer order to the victim’s bank which appears, by all accounts, to be authentic. When a financial institution receives what appears to be a properly authenticated payment order, the bank almost always executes the order. The recipient of the fraudulent transfer, of course, is an account at a financial institution in a distant state and upon receipt, the funds are immediately forwarded to an account in Russia where they disappear. All of this has happens in a matter of minutes. The next day, when the smoke clears, the customer’s account is short several million dollars, the recipient account has a zero balance, and the money trail goes cold at the Russian border.
When the fraudulent transfer is discovered, the customer is at first shocked to find that its bank executed an unauthorized order, and then dismayed when the bank declines to make good on the loss because it was the customer’s security system that was breached. If our experience be any guide, this is the white collar “crime of choice” for the 21st century. Quick, clean, very lucrative and done from thousands of mile away … almost perfect, don’t you think?
Let’s stop for a moment and get our legal bearings: Isn’t a bank supposed to pay only authorized wire transfer orders, and how can an unauthorized transfer order from a hacker be payable under any circumstances? While this analysis is correct as far as it goes, the simple fact is that the “Russian Connection” is unlike most wire frauds where an unfaithful employee “borrows” the company’s security code, wires money to the Caymans, and runs off with a love interest. The “Russian Connection,” by contrast, is one where a complete stranger “hacks” your system, copies your security information and steals your money in a totally impersonal transaction.
The lack of a human touch is part of the problem. The contact between you and your bank for wire transfers is likely to be impersonal (by e-mail or computer), and when a wire transfer is initiated, the bank obviously needs some electronic way of verifying your identity, and that the payment order is authorized. In most cases, the bank will insist that you identify yourself by the use of a security procedure. Under the Uniform Commercial Code (“UCC”), a security procedure is a protocol which you establish with your bank for the purpose of verifying that a wire payment order is authentic. If you and the bank have agreed upon a “commercially reasonable security procedure” and the bank in good faith follows the procedure, the order is treated as though it were authorized even though it is not.
Security procedures can be based on “number codes,” “identifying words,” “encryptions,” and even “telephone calls” to confirm your identity, all very ordinary. Supporting the security procedure concept is the rule that, if you are the victim of fraud and if you can prove that the thief is not and never was an insider, you are not bound by the unauthorized but verified order.
Again, this sounds reasonable. If you can prove that the thief was a stranger to your business, you are not liable. Right? Unfortunately, the resolution is not quite so easy. In the case of the “Russian Connection,” the first question is how, and from what source, did the hacker get access to your security procedure? If a clever thief obtains the security procedure by “hacking” into your system, the bank will argue that the information was obtained from you or a source which you control. This is a very powerful argument, because the information almost certainly did not come from the bank. The thief has, in effect, made himself a “constructive insider” by hacking your system. In this circumstance, the UCC is no help in reversing a Russian Connection order unless you can carry the burden of proving that the hacker did not acquire the information from your system. Litigation is seldom a good choice but in this case, the odds seem particularly daunting.
In general, the UCC tells the bank that it can rely on orders that are transmitted in accordance with your security procedure, and can charge your account even when the order has been sent by a thief. The rules encourage the bank to set up good security procedures and to use them. The upshot of all of this is that most of the theft committed by these new age embezzlers, namely, those who steal by computer (and not by gun), will fall on the person who has the more vulnerable security system. In most cases, that is you, the customer.
The thrust of this analysis is that banks are seldom the victim of a hacker’s intrusion. Banks literally spend hundreds of thousands of dollars on their security systems, and as between you and the bank, it is almost always the case that it was the customer’s system which was hacked, and thus the conclusion that the information used to create the fraudulent payment order was acquired “from the customer” and “not from the bank.” To paraphrase the UCC, the thief (“the hacker”) obtained the information (“your security procedure”) from a source which you control (“your computer”) which was then used to create a fraudulent order (“a wire request that looks authentic”) and the loss (“the stolen money”), regardless of how information was obtained (“hacking”), falls on you, the account customer.
What is to be done? Obviously, wire transfers will not be abandoned as a business tool. Also, it should be obvious that the bank will almost always have the better security system, and unless you are a major oil company, the bank will not want to negotiate better terms for you in apportioning a loss. We believe the first and best line of defense is a better security procedure to protect not only your wire transfer codes, but your other important electronic data as well. Do not delay. Call your IT people at once and have them upgrade all of your security codes and procedures, with particular emphasis on the security procedures used to authenticate your wire transfer transactions. If you don’t have a good IT person, you may even want to hire an outside consultant. Even if you do have a good IT person, hire an expert to check their work. Will this be expensive? Yes, but remember when you calculate the cost, subtract the expense from, say, $2,000,000 (which was recently stolen). In that light, it is fairly cheap precaution against wire fraud.
Is any security system perfect? Of course not, but avail yourself of the old adage that a thief will avoid the house with burglar bars and look for an easier target. To continue the analogy, make certain that when the thief’s computer scans your system, all it sees are burglar bars … chances are that the thief will move on to the another house … with an open window.
