Best Practices for Information Security Protection
Business Email Compromise Is A Major Threat –
The Latest Alerts & Tips
Did you know more than 400 businesses receive fraudulent emails every day? Even if you have controls in place, you could unknowingly be involved in a scheme to divert funds from your account. Your email may not be compromised; however, the email of a common sender could be hijacked and the email activity is being monitored by the cyber-criminal. Review our alerts and tips below to protect yourself from being a victim of an email scam.
What to Look Out For:
The following requests are among the most common signs of email scams. Fraudsters often attempt to cloak these with a false sense of urgency or a need for confidentiality. For example, “A boss has requested the email is not communicated with anyone else”. Other common email examples:
- Requesting a change in your company profile within an internal system
- Seeking to add a new contact representing the company
- Seeking to update payment instructions
- Seeking to request new payment for a business transaction
- Requesting a sudden change in business practice
Top Email Fraud Schemes
Fraudulent message appears to be coming from senior executives within the company.
Supplier email Scam
Email looks like it’s coming from a supplier whose email address is being spoofed - This email could be coming from the actual vendor’s address but the payment instructions have been altered.
Attorney email Scam
Business acquisition email appears to be sent from an attorney.
Non-Financial Data Phishing Scheme
Instructions to send personal information other than payments.
If you receive a suspicious email, be mindful of the following:
- Messages from unknown senders should always be treated with extra scrutiny.
- The temptation to respond to an unknown sender is not worth it.
- Avoid clicking on links or opening attachments from unknown senders.
- This action automatically opens a fraudster to a depth of unwanted additional information.
- Always hover your cursor over links in emails before clicking. If the websites don’t match, the email may contain a malicious link.
- Consider adding a mail server appliance that flags the email and gives you notice of all external communication.
- Have your IT department tag all external email accordingly. Flagging any suspicious email will help identify spoofed email messages.
- Do not “reply” to suspicious emails. You may inadvertently be communicating with the fraudster instead of the intended party
- Always verify any new or changed payment instructions by means other than email.
- The importance of dual or triple verification cannot be overemphasized. Consider using the phone to call a known person at a known number rather than any information suggested in the email.
- For ACH or Wire transfers, American National Bank/Western Bank recommends you have two people (dual control) from your organization involved in every transaction.
- Never send account information via email. Not even to the bank.
- Mail it, encrypt it, or call a known and reliable number to speak with a known voice.
- Know your banker. We may call to verify a transaction. Knowing your banker will help in the authorization.
- Become familiar with your banker’s voice and learn something about the person that would be difficult to impersonate.
Validate Using Other Communication Channels:
- Pick up the phone and call the sender using the known company directory or known vendor information.
- Note, in many cases fraudulent emails would be expected to have new contact information.
Develop Confirmation Procedures For Non-Standard Requests:
- Create confirmation procedures for new or changed payment instructions
- Define the approval process for implementing a new account number
- When possible, ask your vendors to acknowledge the payments