Purpose

This policy is designed to protect our company, our clients, and our employees from fraudulent funds transfer requests, also known as Business Email Compromise (BEC) or Social Engineering Fraud. By following these guidelines, you help safeguard client assets and reduce the risk of financial loss.

Scope

This policy applies to all employees who handle client communications, wire transfers, ACH payments, or changes to vendor and client banking details.

How Multi-Factor Verification Prevents Funds Transfer Fraud

Wire transfer fraud and business email compromise (BEC) continue to be top causes of financial loss for businesses of all sizes. Criminals frequently impersonate executives, vendors, or customers to trick employees into sending funds or changing payment information. One convincing email can result in irreversible financial damage.

Why Verification is Critical

Cybercriminals often compromise legitimate email accounts or register domains that look nearly identical to your own. These emails may contain real signatures, prior email threads, and even accurate invoice details. Every payment or banking change request must be verified through a separate, trusted communication channel. Never reply directly to the same email or use the contact details it contains for verification.

1. Verification of Funds Transfer Requests

Never rely on email alone to authorize or process funds transfers. All funds transfer instructions from clients, vendors, or new contacts must be verified by a direct call using a pre-verified phone number on file. Employees may not use the phone number listed in the request email for verification. If the client/vendor cannot be reached for confirmation, the transfer must not be processed.

2. Verification of Account Information Changes

Any request to change a client or vendor’s bank account number, contact information, or mailing address must be confirmed by a new direct call to the verified phone number on file before any changes are made. Written/email confirmation alone is not sufficient.

3. Authorization & Approval

Dual authorization is required for all outgoing wire transfers or ACH payments. No single employee may approve and execute a transfer without independent review.
If verification cannot be completed through a trusted contact method, the transfer must not be processed under any circumstance.

4. Red Flags to Watch For

Employees should immediately escalate any suspicious activity to management.

Red flags include:

• Urgent or confidential requests for money transfers
• Requests by text
• Requests to click links from a payroll provider or financial institution
• Requests to bypass normal approval processes
• Changes to banking or account information communicated only by email
• Unfamiliar tone, language, or formatting in messages from known contacts
• Slightly altered email addresses or new contact details that differ from verified records

5. Incident Reporting

If you receive a suspicious request, do not process it. Report the incident immediately to your supervisor and the Compliance/Security team. Document the request and how it was identified as suspicious.

Employee Responsibilities

Always follow call-back verification protocols. Never process a transfer or update without confirmed verbal authorization. Stay alert during email communications. Fraudulent requests often appear legitimate and may include accurate details.

Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment. Strict adherence is critical to protecting our company and our clients.

Reminder

Protecting your client and the company funds is everyone’s responsibility. If in doubt: Stop, verify, and escalate.

Disclaimer

The materials above are provided for informational purposes only. They do not constitute legal, financial, or security advice. We make no guarantees regarding the prevention of fraud or unauthorized transactions and assume no liability for losses resulting from reliance on this information.