Ryan Castle is the founder of Conduit Security, a cybersecurity firm that helps investment managers stop wire fraud criminals. Prior to founding Conduit Security, Castle was an FBI Special Agent in New York assigned to complex cybercrime investigations and an engineering team lead for Palantir Technologies, working federal law enforcement deployments across the United States.
 

Justin Ryan is a Relationship Manager at Linedata with 20+ years of in-the-trenches experience in sell-side and buy-side finance. He is passionate about Linedata’s mission of helping clients meet their challenges with innovative and effective technological solutions.

What are some common misconceptions about wire fraud?

Ryan Castle: When it comes to socially engineered wire fraud, the biggest mistake people make is to think of it as an IT or a cybersecurity issue. It actually isn’t. Wire fraud is fundamentally a financial controls issue. You can see this in the way that cyber insurance policies treat wire fraud. Many firms are surprised to learn that wire fraud isn’t covered under their broader cyber policy. But that’s because wire fraud isn’t malware. It’s not a network intrusion. It’s a very narrowly defined social engineering event.

The other big misconception is that financial controls around cash management are sufficient to prevent wire fraud. They rarely are. Such controls are focused on intent and authorization. They’re aimed at preventing things like embezzlement. But wire fraud, remember, is defined as a fraudulent payment that you make with full intent and approval. In a wire fraud incident, you’ve been tricked into paying the wrong account. It’s a real invoice or capital call, the amount is correct, but the payment instructions have been changed without anyone’s knowledge.

I think too many firms have a false sense of security because they’ve got several layers of approval in place. But what’s really important to unpack is what are your people actually approving? Are they verifying intent?  Are they approving that the team followed the cash controls policy? Is it auditable? Is it transparent?  Can the approver determine exactly what teammates have done to validate this information? Or are they just comparing bank instructions to the invoice and saying, “OK, this matches. There’s no typo and there’s no embezzlement. Go ahead and send it.”

Justin Ryan: I think a lot of firms believe that if they have a good enough cybersecurity program in place, then they’re covered against wire fraud and other threats. A firm might think: “We train our employees at least four times a year. They know not to click this link. They know not to do X, Y, and Z.”

But I think the most important thing is for a firm’s leadership to build a “culture of compliance,” one that comes directly from the C-suite. You have to emphasize to your employees how important compliance is—and truly lean into it from the CEO on down to get everyone to embrace it and really understand the risks.

That way, compliance is no longer treated as a necessary chore. It becomes a way for everyone in the firm to defend against a true threat—such as wire fraud—and to think about that threat and actively try to prevent it from happening.

What factors should buy-side firms consider when assessing their vulnerability to wire fraud?

Ryan Castle: Wire fraud is not primarily an IT issue—but information security is still fundamental. And this concerns not just your own network but also the security of the networks of all the people you’re dealing with. Compromised emails are often the starting point for wire fraud crimes, and many times those emails are outside of your organization. Securing your email and networks is necessary; however, it is not sufficient for preventing wire fraud.

In addition, secure communications are crucial. We emphasize the importance of verification and callback procedures in preventing wire fraud – don't trust email alone. But with WFH, it’s now expected that people will use personal cell phones for calls instead of office lines. Unfortunately, this is exactly the tactic that bad actors use to convince fund managers to call them instead of the intended recipient, leading to social engineering losses.  At the pace of business, ensuring proper verification procedures is a difficult task – which is why wire fraud is a $2.7 Billion per year problem.

Justin Ryan: I think a good starting point is for organizations to recognize just how much our guard has dropped with WFH and work-from-anywhere—and what that means for our overall level of risk.

These days, you can’t simply pop over to your colleague’s desk and ask them, “Hey, did you send this? Is this right?” Instead, we all have Teams messaging and tools like that. And we can see when people are in meetings. We can see when they’re presenting. And the temptation is to say, “Well, I’m not going to bother them with this right now.” Or: “I’ll just send a text or an email—I’m not going to follow my normal procedure because this is now a different environment that we’re all working in.”

But of course, all of this brings new risks. And organizations underestimate those risks at their peril.

What can buy-side firms do to address the risk of wire fraud?

Justin Ryan: Education is critical because the threat landscape is changing daily. The old ways of doing things are changing. The ground is moving under our feet. You have to have a good cybersecurity program in place. You need to educate your employees and build a culture of compliance knowledge-sharing.

And I should emphasize that this is not a “set it and forget it” model. It’s quite possible that we’re just entering the J-curve of AI-generated fraud right now. We need to be forward-thinking and agile because tomorrow’s threat will be different from today’s—and the threats will very likely accelerate.

Ryan Castle: Policies and procedures for cash control are usually well-documented and thought out. But when it comes to preventing socially-engineered wire fraud, even though the policies are there, there’s a lack of a system with a technical control to hold people accountable. Many other policies and procedures have technical controls in place, but the ones around wire fraud often don’t. And that’s still the missing piece of the puzzle for a lot of firms.

To be clear, policies and education are essential. But every victim I’ve worked with had good policies and well-informed people. Mistakes happen. It’s just like email security. Do we conduct phishing simulations and provide security awareness training? Yes, of course. But we also implement email filtering tools and attachment scanning because no one is perfect.

To prevent wire fraud, firms need a solution that puts guardrails in place to ensure that their policies and procedures are actually being followed. People can’t be expected to be flawless every day, so we need technical controls to support them.   

More information

Conduit protects assets from wire fraud through proven processes and a simple software platform that codifies best practices and procedures; ensures transparency, accountability, and repeatability; and leverages smart risk intelligence. Conduit is an independent security firm and has consulted with clients ranging from homeowners to billion-dollar IPOs. Learn more about Conduit Security and its innovative approach to preventing wire fraud.

Linedata’s cybersecurity offering includes Linedata Protect, its Managed Detection, Response and Remediation (MDRR) solution for asset managers, hedge funds, private equity, and other buy-side firms. Other services include security awareness training, vulnerability testing, third-party risk management, and CISO-as-a-Service. Learn more about Linedata’s managed cybersecurity services for investment businesses.