It was the most gaping security gap we'd ever walked into. A financial services firm moving hundreds of millions of dollars in wire transfers every year had no MFA on the systems controlling those wires. No email security. No SOC. No EDR. Nothing had happened yet, and that was the only thing protecting them. Here's what we found, what we deployed, and what it means for any business moving real money on legacy controls.
The 60-second version
- Client: A financial services firm (anonymized) running hundreds of millions of dollars a year in wire transfers.
- What we found: Zero MFA on the wire-initiation systems. No email security. No SOC. No EDR. The credentials that authorized those wires were one phishing email away from being someone else's.
- The risk: Wires are irreversible. Once one goes, there is no chargeback, no clawback, no civil recovery that gets the money back. Velocity made it worse: the firm was sending wires daily, so the blast radius scaled with the volume.
- What we deployed: MFA across the wire stack (Microsoft Authenticator and Duo by Cisco), behavioral email security (Avanan, a Checkpoint tool), SentinelOne EDR with 24/7 SOC monitoring on top.
- The outcome: No incident has occurred since the rollout. The gap is closed.
The gap
We've got a financial company that we work with, and they send a ton of wires, 'cause it's a financial firm. They do hundreds of millions of dollars in transactions a year. For us, it was unbelievable that they were doing a lot of these transactions and they didn't have any type of multifactor in place.
— Farzad Vahid, CEO, Fornida
The way it worked: someone on the team logged into the financial portal, typed in credentials, and started sending wires. Volume was high enough that anything slowing the workflow would slow the business. So nothing slowed the workflow, including the second factor.
If the credentials were ever given away, if somebody got 'em on a phishing email and got those credentials, there is no other backup. They didn't have that in place at all.
— Farzad Vahid
A phishing email. A captured credential. A wire request from a session that looked, to the bank, exactly like every other wire request the firm had sent that week. That was the path.
Why irreversibility changes the math
Wires are final. There's no fraud-protection backstop the way there is on a credit card. Once the receiving bank releases the funds, the money is gone, usually into an account the threat actor has already drained.
If you're gonna send a wire, there is no recourse once the wire has been sent.
— Farzad Vahid
That asymmetry makes wire-controlling systems different from every other login in the business. A breached email account is bad. A breached wire-initiation account is catastrophic, immediately, with no recovery path. The control that protects it has to be priced against the worst case, not the average case. At this firm, individual transactions ran into the millions on a daily basis.
What "nothing had happened yet" was actually doing
There's a particular false sense of security that builds up at firms like this. The team had been operating this way for years. Nothing had gone wrong. The absence of an incident was being read, implicitly, as a signal the controls were adequate.
That's not how risk works.
And to us, it was fascinating that nothing had ever happened. It was a matter of time.
— Farzad Vahid
The longer the streak runs without an incident, the harder it gets to authorize the budget for the controls that would prevent one. By the time someone funds the project, it's usually because something has already happened.
What we deployed
MFA first, because it's the cheapest single control that closes the largest single gap. Then the rest of the stack, layer by layer.
- MFA across the wire-initiation systems and the broader Microsoft 365 environment. Microsoft Authenticator where the user already had a managed device; Duo by Cisco where additional flexibility was needed.
- Avanan (a Checkpoint tool) for behavioral email security. Microsoft 365's built-in spam filter catches a layer of phishing. Avanan catches a different layer: the targeted, lookalike, social-engineered emails that match the shape of legitimate correspondence.
- SentinelOne EDR on every endpoint. If a credential does get away, the endpoint layer watches for the keylogger, the lateral movement, the off-hours data access.
- 24/7 SOC monitoring layered on top of the EDR signals, so alerts that matter get human eyes inside minutes, not the next business morning.
Each layer answers a different question. No single tool stops everything; that's why the layers exist. Since the rollout, no incident.
What this means for any business like this one
Three takeaways that generalize beyond financial services:
- Price the control against the worst case, not the average case. If the worst plausible incident at your business is a six- or seven-figure event, the security stack that prevents it has to be authorized at a number that reflects that, not a number scaled to the average week.
- MFA is the cheapest, fastest single control you can put in place. If you're running any system that authorizes money movement, vendor changes, or admin access, and it's protected by a username and password alone, that's the first call to make this week.
- "Nothing has happened yet" is a luck balance, not a security posture. The longer the streak, the larger the eventual loss tends to be.
See what a threat actor would find inside your network
We run a free vulnerability scan that surfaces gaps like the one above: missing MFA, exposed admin paths, behavioral anomalies the existing tools aren't catching. We've already uncovered hundreds of critical issues for other clients with this scan, most of them at companies that believed they were already protected.
If you handle wires, payroll, vendor payments, or any irreversible money movement, book the free scan. It takes about 30 minutes. We'll show you what's exposed before someone else does.
