We have seen a large increase lately in fraud attempts to get businesses to send money via wire and ACH, and want to remind you of controls and diligence you should be using to protect your business from fraud. Often, once a business acts on fraudulent instructions to send money, it is difficult or impossible to get it back resulting in significant losses to the business. Please read the following carefully and make sure your team is aware of this type of activity, and that you have the proper controls in place to protect your business. Some examples of recent activity include:
Scenario # 1:
CEO of ACME R US is out of town on a family vacation. The controller receives an email asking if they are available to help with an urgent matter. Of course the controller responds quickly, asking how they can help. The CEO explains that a vendor of theirs never received payment and they are refusing to ship the parts they ordered unless they wire money today (wire instructions attached). Please send $57,735.32 immediately and provide me confirmation as soon as it is sent so I can inform our vendor, the CEO emailed. Without question, the controller does exactly what was requested.
The next day, the real CEO calls the office to simply check in. During their conversation, the controller asks if the wire got there in time and if the parts shipped. Perplexed, the CEO ask, “What wire and to whom”. Shortly after this call the bank gets a call. The fraudsters simply sent an email from outside the organization to the controller making it look as if it was an internal email.
The controller of ACME R US received an email from one of their suppliers. The email stated that they are changing banks and to please change their accounts payable information to the new account and routing number of the new bank effective immediately. Seems fairly routine, so the controller made the modification. A month later, ACME R US received a phone call about not paying their last invoice totaling $107, 861.35. Through conversation with the supplier, it was discovered that their email account had been compromised and the fraudster was sending fraudulent communications directly from their email account to customers like ACME R US.
What do both of these scenarios have in common? They both where orchestrated via email. Both times, the email communication was all that was necessary to take action. They both indicated a sense of urgency or immediate action required. They both lost thousands of dollars.
Take action and consider implementing these controls:
1. DO NOT automatically trust or act solely on an email communication asking you to make changes to payment instructions from vendors, business partners, or internal management, even if it looks legitimate. To protect your company, procedures should be reviewed to ensure they include a validation step outside of email utilizing already known contact information, such as a verification phone call. For internal management email requests, you may want to require an actual signature as an added security measure. Think about all the things you do simply based on trusting an email. What risk are you taking if the email is not legitimate?
2. Utilize Dual Control options for authorizing ACH and wire payments within online banking, and make sure the staff reviewing those are trained properly to look for potential fraud or unusual activity. Another set of trained eyes can be an effective, if not foolproof, way to safeguard against fraud.
3. Utilize Multi-Factor Authentication if you access your office remotely, use Office 365, Outlook Web Access, or some other cloud based email, ensure you utilize multi-factor authentication. If your credentials are compromised, the fraudsters can access your email account from anywhere. They monitor who you speak with and learn how you do business. Then they plan their attack and start communicating as you. They delete every sent and received communication to help hide their tracks. Please use multi-factor authentication whenever possible. It is as easy as receiving a 6 digit temporary access code that you key in every time you login with your username and password.
4. Train Your Staff about the risks of automatically trusting email as legitimate. Phishing emails can compromise your systems with malware or ransomware. Spear phishing emails hope to get your staff to take action and usually turns into money lost.
5. Contact The Bank Immediately if you believe you are a victim of fraud or have sent funds based on fraudulent instructions. We can best assist you if you call us first. (1-800-453-8700 option 2)
6. Secure Your Environment by ensuring your computer systems and network are routinely patched to help avoid vulnerabilities, and seek outside review or support regularly to make sure your internal controls are up to industry standards to avoid intrusion or takeover attempts.
If you have questions or concerns please contact us at (1-800-453-8700 option 2).
Like me, I hope you have fond memories of your grandparents. When invited to grandma’s house for lunch, I could always count on having something on the table she knew I liked. Grandparents are very special and we need to care for them as much as they care for us.
Unfortunately our grandparents, parents and older adults are the target of many types of scams received over the phone or via an email. These scams attempt to deceive with promises of goods, services, financial benefits or the need to send money to pay taxes, fees or to help someone they love. Their stories are contrived for one purpose and one purpose only, to get money. Below is just one example of these schemes.
Scammers place a call to an older person and when they answer, the scammer will say something along the lines of: “Hi Grandma, do you know who this is?” When the unsuspecting grandparent guesses the name of the grandchild the scammer most sounds like, the scammer has established a fake identity without having done a lick of background research.
Once “in,” the fake grandchild will usually ask for money to solve some unexpected financial problem (overdue rent, payment for car repairs, etc.), to be paid via Western Union or MoneyGram, which don’t always require identification to collect. At the same time, the scam artist will beg the grandparent “please don’t tell my parents, they would kill me.”
One of the best ways to protect our loved ones from these types of tactics is to talk with them about it. Building awareness is the first step. If they are willing, another step might be helping them with paying bills and balancing their bank accounts.
If you have been or know someone who has been a victim; don’t be afraid to talk about it with someone you trust. You are not alone, and there are people who can help. Doing nothing could only make it worse. Keep handy the phone numbers and resources you can turn to, including the local police, your bank (if money has been taken from your accounts), and Adult Protective Services at 1-855-444-3911. Call anytime day or night to report suspected abuse of vulnerable adults.