Business email fraud is on the rise
Business email fraud, also known as Business Email Compromise (BEC), is on the rise across the country. One of the best ways to protect your business is to educate yourself and your employees.
Unlike other cyber-attacks, these types of fraudster emails don’t contain malware or malicious URLs. Instead, they take advantage of social engineering.
Who Do They Target?
Business email fraud attacks target people – usually your CFO or people in your human resources, finance, or payroll departments. Using a technique called “spoofing”, the attacks trick your people into thinking they’ve received an email from a boss, coworker, vendor, or partner. The impostor requests wire transfers, tax records, and other sensitive data.
These fraudsters succeed because they create emails that are deceptively similar to legitimate messages. They also ask victims to perform tasks that fall under their normal job duties.
Here are a few scenarios of business email fraud:
Scenario 1: Sudden Change of Payment
John Doe has been working with ABC Construction Company on a home renovation project for several months. The two parties have been emailing back and forth on a regular basis, and legitimate check payments have been made from John to ABC Construction Company.
John receives an email stating ABC Construction Company is no longer able to accept check payments and, instead, requests a wire transfer. John takes the email at face value and requests a large wire be sent to the bank and account listed in the email. Luckily, the name on the account at the receiving bank did not match the name on the wire, so the wire was refused and returned.
Upon investigation, it was found that John Doe’s email had been compromised by a fraudster who had written special rules within the email account to hide and forward emails from ABC Construction Company. On the outside, the email appeared to be legitimate, which is why many fraudsters are successful. Thankfully, in this case, the financial institution raised a red flag and saved John Doe from becoming a victim.
Takeaway: Always question a sudden change of payment instructions, or a change in patterned communication.
Scenario 2: Missing Verification of Employee Payroll Changes
The human resources department at XYZ Shoe Store received a fraudulent email from an employee requesting to change his payroll direct deposit account. The HR department did not confirm the request through other channels (i.e. phone call or written documentation) and made the requested change. The employee’s payroll was deposited directly into the fraudsters account. Takeaway: Always verify changes of your employee’s payroll via phone call or through another method other than email before making any requested changes.
Scenario 3: Overseas Wire Funds
An employee in the accounting department at 123 Shipping Co. received a fraudulent email from their office overseas asking to wire funds to a different financial institution due to a current internal audit. The employee that received the email did not question the email, nor the change in location to wire the funds. The funds were sent as requested.
The employee in the accounting department continued to receive fraudulent emails pushing the urgency to receive the wire, claiming they had not received it yet. They even provided new wiring instructions to send it again to another bank location.
It was after several “urgent” email inquiries that the employee questioned the validity and made direct contact with their overseas office. At this time, they uncovered the fact that it was not a legitimate request out of that office. An attempt to recall the wire was made, but funds were never recovered.
As you can see from these examples, the scams are not usually that elaborate but they are successful. You are in the best position to stop the fraud and save yourself and your business from a loss.
Fraud Prevention Best Practices:
- Implement strong internal controls focusing on both international and domestic wire and ACH transactions.
- All email requests to transfer funds via wire or ACH should be verified through a secondary email, phone, or text before approving and scheduling with your financial institution.
- Raise suspicions about odd email requests for secrecy or pressure to take action quickly.
- Train your employees to carefully examine the URLs from received emails, paying close attention to slightly different, yet resembling and legitimately spoofed email addresses.
- Forward vs reply: Avoid using the “reply” option to respond to business emails. Forward instead, typing in the email address or selecting it from the email.
- Flag requests from vendors, payroll processors, suppliers, and customers involving payments with a sudden change of instructions. Always verify any changes via phone or outside of email to make sure you are still communicating with your legitimate business partner.
- Take action immediately: If you think you’ve become a victim of business email fraud, contact your financial institution immediately.
In the event that Alerus’ Fraud Monitoring systems trigger a transaction as potentially suspect, clients may receive a call to discuss the transaction further before it is released.