Many small and medium sized businesses are experiencing an increase in "phishing" emails that request a wire transfer or ACH payment. Criminals are emailing seemingly legitimate requests that appear to be from senior executives in the business. They often request things such as:
- Routing and Account Information needed for an ACH payment
- Immediate wire transfer of funds from your company’s account
- Payment of a fraudulent invoice
These email scams are sophisticated and increasingly complex. The criminal hackers use the executive’s actual email address in the "From:" area of the email. In many cases, invoices appear to be from actual vendors of the company. These attempts at social engineering often have well written instructions, a false reason for urgency, and will appeal to an employee's desire to be helpful to his or her boss.
TIPS TO AVOID BEING SCAMMED:
1. Use Multi-Factor Authentication
Many major banking institutions implement multi-factor authentication today. You may be familiar with this if your bank has been showing you a picture next to your username that other servers wouldn't know to present to you, or if you have tried to login to your account from a new computer or mobile device and been asked to type in a security code from a text message. The first factor is that you must know the correct username and password, the next is that you must come from an approved web browser that has been used before, and if not, the text is the additional factor to make sure the access is being granted by you and only you. Even if your systems don't allow for the technical version of multi-factor authentication, your team can create your own version of multi-factor authentication by always texting a confirmation of the details of a wire transfer to the executive that authorizes those transfers.
For Example: Betty receives an email request for ACH transfer that looks like it came right from her boss, Bob. Before Betty jumps through the process of authorizing the ACH transfer, she should text Bob something to the effect of "Hey Bob, I received your request for wire transfer of $2,500 to ABC Company. Just confirming that you are ok with me executing this transfer today. Let me know." If Bob isn't the real sender, you can bet he will tell Betty to pump the breaks on that wire transfer!
2. Detect Social Engineering Tricks
Criminals most often try to trick unsuspecting victims by appealing to their desire to be helpful. In addition to that, hackers may create a false sense of urgency to get you to act fast without having time to confirm the details of their story with your colleagues.
For example: Betty receives an email at 4:45 PM and in the second line it states, "I'm really sorry this is so last minute, but I need this wire transfer to be done by End of Day. This is very important!" Be suspicious of anyone on the phone or any email that is trying to get you to hurry or take short cuts on your normal process, they may have alternative motives.
3. Set a Policy to Talk to an Executive For Requests Over a Certain $ AmountThis one is simple. Remind all employees regularly that any payment over a pre-determined amount requires a Purchase Order or Authorization by an Officer of the Company. Put this in your employee handbooks, and repeat it at company wide meetings or in company wide emails.
4. Remember Your Colleagues Unique Email Signature and Grammatical TendenciesWhile many of the email scams look just like the real sender, they don't always pick up on your colleagues special way of signing off their emails, or grammatical tendencies you know your work mate to possess. For example: If Bob always signs his emails "-BTB" and this email comes in as "Sincerely, Bob Brown," then Betty has good reason to be suspicious or ignore that email.
With the sophistication of cyber security attacks increasing, its getting more difficult to detect scams with basic information technology security tools. The best defense for cyber security attacks is a well educated and always alert staff that talks often about security awareness.