Here we go again: According to the FBI’s 2024 Internet Crime Report, released on April 23, 2025, cyber-crime losses rocketed to $16.6 billion last year, a 33% increase over 2023. Even more alarming, Business Email Compromise (BEC) drained organizations of $2.9 billion across 21,489 incidents last year. As we press deeper into 2025, let this be a warning if your firm is sending six, seven or eight figure wire transfers. And if you are relying on a 3rd party to verify your firm’s wire instructions for you – you are most likely still at risk of a total loss if your 3rd party vendor is tricked with fraudulent instructions. Check the internet – it has already happened to fund administrators in the asset management industry and the outcome was not good. So, what do you do?
Risk for Asset Managers
Outsourcing treasury operations to third-party vendors can streamline your process—but it can also lead to financial risk. Fraudsters commonly spoof investor emails or actively breach the investors’ e-mail accounts to make fraudulent changes to existing wire instructions for valid wires. I’ve seen it firsthand, and without extensive out-of-band checks—like a verified phone call and a micro transaction —multi-million wires can be irretrievably lost. And the gut punch associated with these fraudulent wires is that your 3rd party vendor may NOT be insured to cover your losses.
Wire-transfer controls every asset manager should enforce:
- Verified Communication: Always view changes to existing wire instructions as a red flag. Confirm changes via a known, pre-existing phone number, not the one in the email or the invoice. And under no circumstances can you trust an inbound phone call – even if you receive a call with what appear to be a valid Caller ID and a recipient’s voice that you recognize (see below).
- Strong Login Protection: Use physical security keys (like USB tokens) or authenticator apps whenever you log into systems that send wires and ensure two-person controls are in place for releasing wires.
- Do Not Trust Caller ID or Voice Recognition on Inbound Calls: Call ID Spoofing and AI voice synthesization are the news way criminals can trick you with a fraudulent confirmation of changes to wire instructions. Relatedly, never trust an inbound call from the bank either. If the bank calls you, get the person’s name and then call the bank back from the number on their webpage.
- Verify your 3rd Party Vendor has Social Engineering Insurance: Your 3rd Party Due Diligence MUST include verification that if the vendor makes a mistake associated with your firm’s wire transfer, and the funds are lost – the vendor’s insurance will cover your loss (make certain that the insurance covers Pooled Assets and not just your firm’s GP funds). As you do your diligence, it is critical to determine the total amount of coverage afforded your firm by the vendor’s insurance. A simple “yes” that vendor has insurance is not enough. You need to also determine the loss limit.
Additional Risks for Private Equity Firms
When private equity firms rush to close a deal, they juggle dozens of invoices and final payment instructions under tight deadlines. Criminals take advantage of this chaos by swapping out wiring details at the last second. This is especially insidious if the Finance Team is relying on the Deal Team to provide the wiring instructions. Since these transactions often exceed $100 million, the loss can be existential to the firm.
Key controls for PE firms include:
- Deal Team Training: If your firm is relying on the Deal Team to provide wiring instructions, the Deal Team must be trained on wire fraud. Additionally, the Finance Team must still follow all of the recommendations provided above.
- Obtain Bank Wiring Instructions at the Beginning of the Diligence Period: Wire Transfer instructions are often obtained toward the end of the diligence process. Get those instructions early to avoid a criminal getting involved and making changes downstream.
- Contact the Receiving Bank Directly Before the Wire Is Sent: If the wire is seven figures or more, it’s critical to have a way to contact the receiving bank to confirm that the account to which you are sending the funds are EXACTLY the same as the account to whom you think you are sending the funds. Often criminals create look-alike accounts that are extremely similar in the naming convention, but not exactly the same.
Ready to Secure Your Transactions?
Wire fraud isn’t waiting for you to catch up—it’s evolving right now. One slip in your process can turn a landmark deal into a headline disaster and erase millions overnight. But it doesn’t have to be that way.
Imagine having a partner who knows exactly where the gaps lie and how to close them before criminals even try to exploit your firm. Schedule a call with me today, and let’s discuss how you can move forward with confidence—knowing every wire transfer is backed by the strongest defenses in the industry.
Michael Brice
President
BW Cyber, LLC
