A Wire Fraud Wake Up Call
Key Points
- Many SMBs rely on ad hoc approaches and employee judgment rather than formal processes and training.
- SMB executives may underestimate the risk of being targeted by cybercriminals.
- Attackers target businesses with weak security, regardless of size, using methods such as BEC.
- Social engineering, including phishing, smishing, and deceptive calls, is a notable risk for SMBs with underdeveloped security.
- Insufficient role-specific awareness and training raise the likelihood of successful attacks and financial loss.
- All staff should verify transfer requests using a pre-defined contact method
A CEO at a small real estate and insurance company I know fell victim to a wire fraud scam. The executive team assumed that their staff would be able to “just use common sense to detect fraud” so they did not invest in cybersecurity training or resilient processes for major financial transactions. But sophisticated actors, especially those leveraging modern AI designed to accurately mimic real human interactions, are difficult to spot and, as a result, the company lost $47,000. While this might be negligible to large enterprises, this could represent an entire year’s profit for a small business.
Executives at smaller businesses often believe they are less likely targets for cyberattacks; however, attackers often focus on organizations with weaker security controls. Business Email Compromise (BEC) attacks are more successful when employees lack adequate security awareness or anti-phishing training.
Larger organizations tend to implement broader cybersecurity programs due to compliance and regulatory requirements, but small and medium-sized businesses (SMBs) face the same challenges and requirements but with significantly smaller teams who often are unable to implement comprehensive security frameworks or support ongoing efforts.
Social engineering poses a significant risk for SMBs with developing security protocols. Attacks—including phishing emails, smishing texts, and deceptive calls—exploit employees who may inadvertently assist threat actors. The wire fraud case cited above was facilitated by insufficient security awareness training and supporting tools.
Wire Fraud Trends
Wire fraud scams are a major risk to every organization.
- Overall loss increase: According to FBI data, total reported cybercrime losses increased by 33% from 2023 to 2024. The FTC also reported that consumer fraud losses rose from over $10 billion in 2023 to $12.5 billion in 2024.
- Bank transfers as a top loss driver: Bank transfers and payments accounted for $2.09 billion in losses in 2024, surpassing cryptocurrency losses of $1.42 billion.
- Business email compromise (BEC): BEC scams remained a leading cause of wire fraud, causing substantial financial losses in 2023 and 2024.
- All businesses are targets: Studies show that 90% of U.S. businesses faced cyber fraud and 63% experienced wire transfer fraud attempts.
- Targeting of older adults: Reports indicated that Americans aged 60 and older lost $3.4 billion in 2023 through wire transfers, increasing to $4.9 billion in 2024.
- Business impacts: Surveys from 2024 found that 90% of U.S. companies encountered cyber fraud attempts, while 63% experienced at least one wire-transfer fraud incident in the previous year.
Am I a target?
Every company using wire transfers faces a wire fraud risk.
Scammers employ tactics like BEC to impersonate executives, vendors, or officials and pressure staff members into initiating wire transfers through urgent requests or manipulation. Phishing and fraudulent websites may be used to access sensitive information or alter transaction details. More complex attacks, including those deploying AI, are difficult for anyone to detect, especially in cases where transfer processes have weak, limited, or no authentication requirements.
Wire transfers are valued for their speed and finality, features that can be exploited by malicious actors; reversing wire transfers is challenging and sometimes impossible. Even small transfers are a target – businesses have reported individual incident losses ranging from $10,000 to more than $1 million – so this is not just a problem for large corporations with big bank accounts.
What should I do?
As my CEO friend learned, the best way to mitigate wire fraud risk is through employee training and authorization procedures for wire transfers.
- Employees should be informed of the risks associated with business-critical processes such as wire transfers and proper data handling, which may be targeted in cyberattacks.
- Leadership teams have a responsibility to ensure staff receive appropriate training related to loss prevention related to any key application and business activity.
- Ensure multiple people are involved in any significant transaction, that they only communicate via pre-defined and authenticated methods such as internal chat or call back numbers.
- Ask your financial institution for help – many will allow you to set up extra verification steps or limits to one-time or one-off transfers.
