Business Email Fraud Is On The Rise
| JUL 24, 2019
| JUL 24, 2019
Business email fraud, also known as Business Email Compromise (BEC), is on the rise across the country. One of the best ways to protect your business is to educate yourself and your employees.
Unlike other cyber-attacks, these types of fraudster emails don’t contain malware or malicious URLs. Instead, they take advantage of social engineering.
Who Do They Target?
Business email fraud attacks target people – usually your CFO or people in your human resources, finance, or payroll departments. Using a technique called “spoofing”, the attacks trick your people into thinking they’ve received an email from a boss, coworker, vendor, or partner. The imposter requests wire transfers, tax records, and other sensitive data.
These fraudsters succeed because they create emails that are deceptively similar to legitimate messages. They also ask victims to perform tasks that fall under their normal job duties.
Here are a few scenarios of business email fraud:
Scenario 1: Sudden Change of Payment
John Doe has been working with ABC Construction Company on a home renovation project for several months. The two parties have been emailing back and forth on a regular basis, and legitimate check payments have been made from John to ABC Construction Company.
John receives an email stating ABC Construction Company is no longer able to accept check payments and, instead, requests a wire transfer. John takes the email at face value and requests a large wire be sent to the bank and account listed in the email. Luckily, the name on the account at the receiving bank did not match the name on the wire, so the wire was refused and returned.
Upon investigation, it was found that John Doe’s email had been compromised by a fraudster who had written special rules within the email account to hide and forward emails from ABC Construction Company. On the outside, the email appeared to be legitimate, which is why many fraudsters are successful. Thankfully, in this case, the financial institution raised a red flag and saved John Doe from becoming a victim.
Takeaway: Always question a sudden change of payment instructions, or a change in patterned communication.
Scenario 2: Missing Verification of Employee Payroll Changes
The human resources department at XYZ Shoe Store received a fraudulent email from an employee requesting to change his payroll direct deposit account. The HR department did not confirm the request through other channels (i.e. phone call or written documentation) and made the requested change. The employee’s payroll was deposited directly into the fraudsters account. Takeaway: Always verify changes of your employee’s payroll via phone call or through another method other than email before making any requested changes.
Scenario 3:
An employee in the accounting department at 123 Shipping Co. received a fraudulent email from their office overseas asking to wire funds to a different financial institution due to a current internal audit. The employee that received the email did not question the email, nor the change in location to wire the funds. The funds were sent as requested.
The employee in the accounting department continued to receive fraudulent emails pushing the urgency to receive the wire, claiming they had not received it yet. They even provided new wiring instructions to send it again to another bank location.
It was after several "urgent" email inquiries that the employee questioned the validity and made direct contact with their overseas office. At this time, they uncovered the fact that it was not a legitimate request out of that office. An attempt to recall the wire was made, but funds were never recovered.
As you can see from these examples, the scams are not usually that elaborate but they are successful. You are in the best position to stop the fraud and save yourself and your business from a loss.
Fraud Prevention Best Practices:
Alerus offers a wide variety of checking account options for customers in Minnesota, North Dakota, and Arizona.