Fraud Prevention Series: Part One - Beware of Email Spoofing and Wire Fraud
What is in your email inbox? As a financial institution, we are vigilant every day in our efforts to protect our clients and our employees from becoming victims of fraud. Dangerous messages from seemingly legitimate companies could be fraudster attempts to convince you to reveal personal information or wire money ultimately leading to financial damage. We want to help inform you about the latest scams and how to safeguard yourself and your business from becoming a victim.
Signs of a Scam:
Scammers can have a sense of urgency or request inappropriate confidentiality such as:
- Any update of payment instructions
- Any change of a company profile within an internal system
- Any addition of a new contact representing a company
- Any request for a new payment for a business transaction
- Any request for a sudden change in business practice
Fraudulent email aimed at wire fraud seems to be coming from senior executives in the company primarily targeted to an HR or Finance department. This is also known as Spear-phishing. Example: JoeSmith@gmail.com versus the legitimate JoeSmith@acme.com . The email address may look exactly the same until you hover over the email to see the domain name.
Supplier email Scam
The email address looks legitimate, but the email service is hacked and spoofed so it is not actually coming from the supplier. Example: Support@Acmeru.com versus the legitimate Support@Acme.com. Beware of extensions or misspellings in the address. We are seeing this frequently where the sender’s email service is used to initiate emails using a valid email address and known information that has been exchanged in legitimate emails over the course of weeks or months.
Attorney email Scam
This email can be in the form of a business acquisition, major business transaction or other legal request sent from an attorney to a senior executive asking for complete confidentiality for an action. Example: Acts that may seem threatening like a subpoena requesting information that looks legitimate, but is disguised to provide confidential information.
Non-Financial Data Phishing Scheme
Request for personal information other than payments. Scammers are looking for social security numbers, phone numbers, addresses to complete a bigger picture of social engineering information for future malicious activity.
None of these precautions are new, but bankers are frequently seeing every single one of these attempts being made. We recommend developing a safe culture for your organization with these multilayered protections.
If you receive a suspicious email, be mindful of the following:
- Always verify any new or changed payment instructions by means other than email. We recommend a call.
- Never send account information via email. Not even to the bank.
- Use dual control for all transaction initiation. For ACH or Wire transfers, American National Bank/Western Bank recommends dual authorization for any ACH or Wire transfer initiated with one person authorized to initiate and a second person authorized to approve the transaction.
- Know your banker. We may call to verify a person or transaction. We will authenticate the request by asking for personal information which you have shared with your banker that would help them identify you as a customer and not someone who has obtained information through social engineering or stolen information. Our standard security procedures will identify you through two levels of questions. We recommend eStatements as a way to avoid fraudsters from acquiring a paper statement with important information.
- Messages from unknown senders should always be scrutinized. Have your IT department tag all external email accordingly – this will help identify spoofed email messages.
- Avoid clicking on links or opening attachments from unknown senders. Pick up the phone and call to verify that the sender sent the email, whether it is an attorney, vendor, supplier, bank, accountant, etc. When possible, ask the vendors to acknowledge the payments in advance and confirm how and when they will deliver the information.
- Always hover your cursor over links in emails, social media or online websites before clicking. If the websites don’t match, it may contain a malicious link.
- Do not “reply” to suspicious emails. You may inadvertently be communicating with the fraudster instead of the intended party.
Develop Confirmation Procedures
- Pick up the phone and call the sender using the company directory or known vendor information
- Define the approval process for implementing a new account number
- Authenticate the request by asking the individual to provide information that would not be contained in email correspondence or through other means
- When possible, ask your vendors to acknowledge the payments