Waylon Krush, CEO of ZeroTrusted.AI
You get an email that looks like it’s from your realtor, your loan officer, or the dealership. The wiring instructions arrive. The amount is serious. You click, you wire, and ten days later you realize the car, the house, the deal — none of it exists. Welcome to the modern con: equal parts lazy trust and clever impersonation.
I’ve been getting more and more calls lately: “Can you hack this guy back who phoned and emailed to steal my wire?” No. Hacking back isn’t the answer. Report the crime immediately (the FBI’s Internet Crime Complaint Center — IC3 — is where a lot of these
reports go). But more importantly: stop wiring money unless you’ve proven, out-of-band, that the person on the other end is who they say they are.
Here’s what’s really happening — and how to stop it.
How the scam usually works (it’s often not fancy):
· The fraudster spoofs an email or registers a domain one letter off from a real company (tom@abd.com instead of tom@abc.com). If you skim, you miss it.
· Sometimes they’ve already seen (or bought) leaked credentials from a past breach and jumped into an ongoing email thread. Other times, they don’t need your inbox at all—they monitor the seller or institution and intercept financial details elsewhere. Or even just go to your social media and linked-in account to identify where you are in the corporate hierarchy and whether or not you can make or authorize financial decisions.
· They’ll post fake listings for cars, houses, rentals, or commercial property. Photos and descriptions look real because they scraped them from legitimate sites. The VIN numbers and property numbers and details match – but this does not mean they are real listings.
· Wire instructions are changed at the last minute or directed to a slightly different company name/account. If you don’t verify, the money vanishes. If someone tries to change the numbers last minute – stop and call the person you know related to the transaction – even better go meet them physically. Wires of institutions almost never change – unless they are scammers or fraudsters.
Simple, practical steps to protect yourself:
1. Never wire on the basis of email alone. If the wire request came by email, call a verified number (not the one in the email) to confirm. Go to the company’s real website, find their main phone number, and call them. If you have met someone – that is not via WhatsApp or online and have their cell phone number call them directly and ask questions.
2. Verify out-of-band. That means using a communication channel you know is real—call from the number you have on file, visit the office, or use a verified corporate contact you found independently. Do not use the number or address of the wire instructions you just got.
3. Check the email carefully. Look for tiny typos in domain names. If the sender’s domain looks off, do not act on the message.
4. Change bad passwords now. If your password is weak or reused (cat123, summer2020, etc.), change it. Use a unique password for your email and financial accounts—those are keys to everything.
5. Turn on Multi-Factor Authentication (MFA). Wherever available—email, bank, cloud accounts—use MFA. It’s the single best extra layer of protection.
6. Ask for documentation and proof of identity. For large purchases, insist on notarized documents or proof that the seller controls the property (title info, company registration).
7. When in doubt, pause. Delays are annoying, but they beat losing tens of thousands of dollars. Take the extra 30 minutes to verify. If you are management or an executive – create a process and train everyone on how and when financial transactions must be conducted.
8. If you’re a business, lock down internal processes. Require at least two approvals for wire transfers, limit who can request changes to bank instructions, and keep a call-back process to confirm any change.
A quick verification script you can use on a call
“Hi — I received wire instructions from [email address / person]. I’m calling from [your name / company]. For security, I want to confirm the bank account name and last four digits before I send funds. Please confirm by calling me back at [your verified number] or sending this on company letterhead to [your verified email].”
If you’ve been scammed — immediate actions
1. Call your bank right away and request a trace or recall of the wire (time matters).
2. File a complaint with the FBI’s IC3 and with local law enforcement.
3. Keep copies of all emails, texts, and phone records — these are evidence.
4. Alert others in your network or business who might be targeted by the same scam.
Final word: trust, but verify — and then verify again.
With AI, phishing and impersonation will only get more polished. That doesn’t mean you should live in fear; it means you should adopt simple, consistent habits: unique strong passwords, MFA, out-of-band verification for any money movement, and skepticism of last-minute changes.
Wires are fast and final. So is regret. Before you click “send,” pick up the phone, call the verified number, and make one real human check. Your future self will thank you.
Comments