How one simple administrative control could save you thousands from fake email scams
Your finance team is under attack. And if they are not prepared, your business could fall victim to the $12 billion email scam. That’s how much the FBI estimates has been stolen from U.S. companies in the past five years as a result of phishing attacks and business email compromise (BEC).
BEC is a tactic used by cybercriminals to steal the credentials of executives and C-suite personnel within a company. The scammers then use this stolen information to impersonate the executive and trick other people – usually members of your finance team – into handing over banking information, login credentials or making wire transfers.
If you think it’s only gullible or naïve people falling for fake emails, think again. A whopping 85% of all organizations have been hit by phishing attacks.
This is a testament to how crafty scam artists have become over the past few years. Today’s cybercriminals are savvy. Misspellings and grammatical errors in bogus emails are things of the past which makes spotting a phishing attack next to impossible. That is why you must have measures in place to prevent a costly breach.
How It Works
Hackers use social engineering to profile your company. Social engineering exploits human psychology, rather than technical hacking techniques, to gain access to your network. Cybercriminals use public information such as your website, social networks like LinkedIn and Facebook to gain all sorts of information about your organizational chart including who works in your accounting department. If they gain access into your network, they will be able to uncover your key vendors and even workflows. Once they get a lay of the land, they will use a spoofed email address or even a hijacked email address to send legitimate-looking emails aimed at tricking unsuspecting employees.
An email could appear to come from your CEO, CFO or owner requesting a money transfer to another account. Or it could appear to be from a vendor asking your accounts payable team to update the vendor’s method to receive funds.
If the requests seem reasonable, most people wouldn’t hesitate to comply. AND THAT IS WHEN YOU BECOME VICTIM OF THE $12 BILLION EMAIL SCAM.
Here’s the kicker – if you or someone within your organization “gives” a criminal money, even willingly, cyber insurance will not cover your loss unless you have specific coverage for phishing or social engineering. That money is gone for good.
What to Do
If your company does not have proper administrative controls or processes in place to validate funding requests, you are setting yourself up for financial loss. Blindly transferring money or changing bank account remittance information is a sure indication of nonexistent administrative controls.
VERIFICATION is the one simple administrative control that companies can use to protect themselves and their bank accounts from email phishing scams. By verification, we specifically mean a phone call – not a text or email – to verify the request’s validity. If a request appears to come from within your organization, a phone call to the person making the request should be required. If the request is from an outside source, such as a vendor, do not reply to the email or call a number listed in the email. Instead, call the number you have on file to check the authenticity of the request.
To further ensure you do not hand money over to bad actors, you should incorporate a two-step process of verification.
Here is a simple checklist to determine if your administrative banking controls will effectively thwart attempts to drain your bank accounts.
- Do you require a two-step VERIFICATION for wire transfers? Does your team systematically require all wire transfers to be verified by a manager and designated approver?
- Do you require a two-step VERIFICATION of changes in remittance account numbers – beyond email requests? For example, do you require that your team calls and verifies with the vendor both on the phone and via some other control such as a certain form, process, manager approval, etc?
- Do you require a 2-step VERIFICATION of bank transfers? Does your team have a proven process to have manager verification of all bank transfers?
Here are some things you need to do immediately:
- Review your company’s administrative controls
- Train your finance team members of the processes and review these regularly – they need to be educated that they are targets for cybercriminals and they should question any requests for changes to banking information.
- Offer end-user security-awareness training and simulated phishing tests for all staff members.
- Review your phishing coverages with your insurance provider. If you need a firm that specializes in cyber insurance coverage, we are happy to make a referral for you.