Fraud Prevention - Beware of Email Spoofing and Wire Fraud
As your financial partner, we are vigilant in our efforts to protect you from becoming a victim of fraud. Email spoofing is the creation of an email message using a forged sender address. These are often sophisticated, authentic-looking messages that are very good at tricking the receiver into taking action that releases confidential financial information. Knowing what to look for can help safeguard your business from losses due to forged emails attempting to initiate fraudulent wire or payment requests.
Signs of a Scam:
Scammers can have a sense of urgency or request inappropriate confidentiality such as:
- Any update of payment instructions
- Any change of a company profile within an internal system
- Any addition of a new contact representing a company
- Any request for a new payment for a business transaction
- Any request for a sudden change in business practice
CEO email or Spear-phishing
Fraudulent emails believed to be coming from senior executives aimed at wire fraud primarily targeted to an HR or Finance department prompt victims to reveal confidential information or make wire transfers via email instruction. This is also known as Spear-phishing.
Message from a Vendor
The email address appears to be from a trusted vendor aiming to collect confidential information or change payment instructions.
What to look for:
- A slight variation in an extension or a misspelling form the typical email address. For example, the trusted address you expect to see is firstname.lastname@example.org. A spoofed email may come across like one of these: email@example.com, jon.doe@trusted partner.com or firstname.lastname@example.org
- To collect confidential information, a spoofed email may redirect the receiver to provide the information to a link that they control.
- The email tells you the company has changed banks and you are asked to update payment instructions. Cyber criminals closely watch email activity and can see details about invoices, amounts, dates and other information. Once funds are sent, your chances of recovering funds is almost impossible.
Attorney email Scam
This email can be in the form of a business acquisition, major business transaction or other legal request sent from an attorney to a senior executive asking for complete confidentiality for a time sensitive matter. Example: Acts that may seem threatening like a subpoena requesting information that looks legitimate, but is disguised to provide confidential information.
Non-Financial Data Phishing Scheme
A request for personal information such as social security numbers, phone numbers, and addresses to complete a bigger picture of social engineering information for future malicious activity.
Who is Targeted?
Cybercriminals target employees with specific job functions who have roles in authorizing or executing accounts payable operation such as corporate executives, human resources, or corporate finance employees.
None of these precautions are new, but bankers are frequently seeing every single one of these attempts being made. We recommend developing a safe culture for your organization with these multilayered protections.
If you receive a suspicious email, be mindful of the following:
- Always verify any new or changed payment instructions by means other than email. We recommend a call.
- Never send account information via email. Not even to the bank.
- Use dual control for all transaction initiation. For ACH or Wire transfers, American National Bank/Western Bank recommends dual authorization for any ACH or Wire transfer initiated with one person authorized to initiate and a second person authorized to approve the transaction.
- Know your banker. We may call to verify a person or transaction. We will authenticate the request by asking for personal information which you have shared with your banker that would help them identify you as a customer and not someone who has obtained information through social engineering or stolen information. Our standard security procedures will identify you through two levels of questions. We recommend eStatements as a way to avoid fraudsters from acquiring a paper statement with important information.
- Messages from unknown senders should always be scrutinized. Have your IT department tag all external email accordingly – this will help identify spoofed email messages.
- Avoid clicking on links or opening attachments from unknown senders. Pick up the phone and call to verify that the sender sent the email, whether it is an attorney, vendor, supplier, bank, accountant, etc. When possible, ask the vendors to acknowledge the payments in advance and confirm how and when they will deliver the information.
- Always hover your cursor over links in emails, social media or online websites before clicking. If the websites don’t match, it may contain a malicious link.
- Do not “reply” to suspicious emails. You may inadvertently be communicating with the fraudster instead of the intended party.
Develop Confirmation Procedures
- Pick up the phone and call the sender using the company directory or known vendor information
- Define the approval process for implementing a new account number
- Authenticate the request by asking the individual to provide information that would not be contained in email correspondence or through other means
- When possible, ask your vendors to acknowledge the payments