When was the last time you received an email from a friend stuck in a foreign jail or a "business opportunity" to make millions from Nigeria? I doubt you took any of them seriously upon a moments reflection. What about an urgent email from your CEO asking you to wire money to an account? Would you dismiss that as quickly? The latest "masquerading" email fraud does exactly that. It is a growth industry:
From an article in CFO.com:
It’s a twist on a fraud attempt that became common in 2012, in which criminals hacked into companies’ email or financial systems for purposes of altering communications between corporate executives and financial institutions. Now the bad guys have upped the ante by issuing fraudulent communications within companies.
In the scheme, a hacker poses as a senior executive, often the CFO, controller or CEO, and issues a communication directing a lower-level employee to urgently execute a financial transaction, like a confidential business investment or a payment to a vendor. Money is then wired or transmitted through the Automated Clearing House to a bogus account.
The Internet Crime Complaint Center (IC3) has issued a series of increasingly urgent warnings regarding the fraud. Its most recent scam-alert bulletin, issued on June 27, reported a new wrinkle in which a finance executive receives an email via a company business account that’s purportedly from a vendor requesting a wire transfer to a designated bank account. The emails are spoofed by adding, removing or subtly changing characters in the e-mail address that make it difficult to distinguish the perpetrator’s email address from the legitimate address.
“The scheme is usually not detected until the company’s internal fraud detections alert victims to the request or company executives talk to each other to verify the transfer was made,” the IC3 bulletin says. The average loss per victim is $55,000, but in some cases losses have exceeded $800,000, according to IC3.
Moreover, without an internal breach of your computer system, insurance coverage for such a fraud is unlikely. What can you do to prevent this sort of masquerade? From CFO.com:
1. Confirm that the request to initiate the wire is from an authorized source within the company.
2. Double- and triple-check email addresses. A common masquerading trick is to modify an email address slightly so an employee doesn’t notice that the message is from a fraudulent domain. By replacing the “w” in Bank of the West’s name with a double “v,” for example, a masquerader could send emails from Bankofthevvest.com.
3. Establish a multi-person approval process for transactions above a certain dollar threshold.
4. Slow down. Speed is the fraudster’s ally and your enemy. Fraudsters gain an advantage by pressuring employees to take action quickly without confirmation of all the facts. Be on high alert for possible fraud anytime wire-transfer instructions include tight deadlines.
5. Be suspicious of confidentiality. Whenever wire-transfer instructions specify to keep the transaction secret, you should verify the legitimacy of the source of the request. Speak to the executive or manager requesting the transaction by phone or in person. If you still have doubts, speak to another senior executive.
6. Many companies require a valid purchase-order number and approval from a manager and the finance department to spend money. Similarly, your business can require that all wire transfers over a certain dollar threshold be matched to a reference number to ensure they are linked to a previously approved purchase or service.