We have seen a large increase lately in fraud attempts to get businesses to send money via wire and ACH, and want to remind you of controls and diligence you should be using to protect your business from fraud. Often, once a business acts on fraudulent instructions to send money, it is difficult or impossible to get it back resulting in significant losses to the business. Please read the following carefully and make sure your team is aware of this type of activity, and that you have the proper controls in place to protect your business. Some examples of recent activity include:
Scenario # 1:
CEO of ACME R US is out of town on a family vacation. The controller receives an email asking if they are available to help with an urgent matter. Of course the controller responds quickly, asking how they can help. The CEO explains that a vendor of theirs never received payment and they are refusing to ship the parts they ordered unless they wire money today (wire instructions attached). Please send $57,735.32 immediately and provide me confirmation as soon as it is sent so I can inform our vendor, the CEO emailed. Without question, the controller does exactly what was requested.
The next day, the real CEO calls the office to simply check in. During their conversation, the controller asks if the wire got there in time and if the parts shipped. Perplexed, the CEO ask, “What wire and to whom”. Shortly after this call the bank gets a call. The fraudsters simply sent an email from outside the organization to the controller making it look as if it was an internal email.
The controller of ACME R US received an email from one of their suppliers. The email stated that they are changing banks and to please change their accounts payable information to the new account and routing number of the new bank effective immediately. Seems fairly routine, so the controller made the modification. A month later, ACME R US received a phone call about not paying their last invoice totaling $107, 861.35. Through conversation with the supplier, it was discovered that their email account had been compromised and the fraudster was sending fraudulent communications directly from their email account to customers like ACME R US.
What do both of these scenarios have in common? They both where orchestrated via email. Both times, the email communication was all that was necessary to take action. They both indicated a sense of urgency or immediate action required. They both lost thousands of dollars.
Take action and consider implementing these controls:
1. DO NOT automatically trust or act solely on an email communication asking you to make changes to payment instructions from vendors, business partners, or internal management, even if it looks legitimate. To protect your company, procedures should be reviewed to ensure they include a validation step outside of email utilizing already known contact information, such as a verification phone call. For internal management email requests, you may want to require an actual signature as an added security measure. Think about all the things you do simply based on trusting an email. What risk are you taking if the email is not legitimate?
2. Utilize Dual Control options for authorizing ACH and wire payments within online banking, and make sure the staff reviewing those are trained properly to look for potential fraud or unusual activity. Another set of trained eyes can be an effective, if not foolproof, way to safeguard against fraud.
3. Utilize Multi-Factor Authentication if you access your office remotely, use Office 365, Outlook Web Access, or some other cloud based email, ensure you utilize multi-factor authentication. If your credentials are compromised, the fraudsters can access your email account from anywhere. They monitor who you speak with and learn how you do business. Then they plan their attack and start communicating as you. They delete every sent and received communication to help hide their tracks. Please use multi-factor authentication whenever possible. It is as easy as receiving a 6 digit temporary access code that you key in every time you login with your username and password.
4. Train Your Staff about the risks of automatically trusting email as legitimate. Phishing emails can compromise your systems with malware or ransomware. Spear phishing emails hope to get your staff to take action and usually turns into money lost.
5. Contact The Bank Immediately if you believe you are a victim of fraud or have sent funds based on fraudulent instructions. We can best assist you if you call us first. (1-800-453-8700 option 2)
6. Secure Your Environment by ensuring your computer systems and network are routinely patched to help avoid vulnerabilities, and seek outside review or support regularly to make sure your internal controls are up to industry standards to avoid intrusion or takeover attempts.
If you have questions or concerns please contact us at (1-800-453-8700 option 2).