Understanding and preventing cyber fraud
Cyber fraud has become an everyday occurrence in the business world. While the threat is invisible, the outcomes can be extremely damaging. Major cyber-attacks have helped raise awareness about the risks to large companies, but smaller companies are just as, if not more, vulnerable to cyber fraud. Fraudsters know that smaller companies typically have less robust protections in place, making them easy targets to obtain financial information, customer data, and ransoms. In fact, Verizon’s 2021 Data Breach Investigations Report found that businesses with 1,000 or fewer employees were attacked more frequently than large companies.
Just as companies protect themselves against physical theft, it is critical that they also take measures to protect against cyber fraud. Educating employees is a key line of defense. It’s important they are aware of common types of cyber fraud, how attacks are carried out, and what they can do to help prevent incidents.
Corporate account takeover
In a corporate account takeover, fraudsters gain control of the business’ bank account and can initiate fraudulent wire and ACH transactions to accounts they also control.
Account access is gained by stealing employee passwords or other valid credentials through phishing attacks or social engineering techniques used to install malware (viruses or other unwanted software) on the victim’s device. Once installed, malware can be used to monitor activity on the device, obtain banking information, and use that information to transfer funds from the victim’s account.
To protect against these types of attacks, do not click links in unfamiliar emails or social posts and never provide online banking credentials or passwords via email.
Business email compromise
This is a sophisticated scam commonly used to target businesses working with foreign suppliers or that regularly perform wire transfer payments. It is also increasingly being used to carry out payroll fraud.
In this method, fraudsters hack or mimic a company email account and submit fake transfer requests to vendors. They may also hack a company executive’s email and send the request from their legitimate email account, often after they’ve monitored the person’s activity and know that the “sender” is in a meeting or unavailable to respond immediately.
These requests may initially appear to be valid, but there are often slight discrepancies that indicate something is not quite right. Red flags to look for include an invoice or company logo that looks slightly different than usual, incorrect spelling or grammar, a slightly different email address, changes to the beneficiary’s bank or name, a change request with no explanation, or a request to transfer funds quickly.
Fraudsters are increasingly sophisticated in their attacks, so individuals responsible for wire transfers must be diligent in carefully reviewing requests and confirming changes before approving transfers. Additional basic prevention steps to take include using a dedicated computer to conduct financial transactions, maintaining a robust cyber security plan, and making sure employees know how and to whom they should report suspicious activity. Cyber security and ransomware insurance policies may provide an additional layer of protection in the event of an incident.
Banks can provide business accounts with additional protections, such as multi-factor authentication, transaction authentication, and dual control processing to require more than one sign off for transactions such as payroll payments. Financial institutions also use tools to monitor IP addresses, conduct behavioral analytics, and run intrusion detection software to keep further watch on account activity. It may seem counter-intuitive, but mobile banking can provide even more protective measures, such as sending alerts to require payment confirmation before completing transfer requests.
If an incident occurs
If you discover you have been the victim of cyber fraud, contact your bank immediately and do not make further payments to the vendor/beneficiary until the issue has been resolved. Retain all records of contact with the fraudster. If the contact was via email, report it to the FBI’s Internet Crime Complaint Center. Finally, contact your insurance provider if you have a cyber security or ransomware policy.