If you’ve ever received a puzzling email from senior management asking you transfer funds from the company account to an unknown account, you may want to check with them in person. Chances are that’s not actually them on the other end of the email.
Fraud investigators in the UK have uncovered a new and alarming way that online scam artists are swindling funds from business employees. Using software that changes the very fabric of the email code itself, fraudsters are able to make the email look like it is coming from anywhere by changing things like the sender address.
Employees from the finance departments of several businesses reported receiving emails that appear to come from their senior staff such as finance directors or CFO’s requesting them to transfer company money from the standard account to a secondary account. The email usually states a need to quickly utilize the funds to close a deal or contract, that’s why there is a need to break standard procedure.
The email accounts of senior staff are usually hacked beforehand to make the email seem as real and legitimate as possible. Everything from the wording to email signatures may look and feel real, but make no mistake the person on the other end is a fraudster.
These criminals utilise publicly disclosed information on “About Us” and corporate web pages to secure identities, email addresses, phone numbers, titles and other information to help them craft the perfect email to the unsuspecting employee. They also gain digital information by hacking web-based services frequented by senior employees.
The deviousness of this scam lies in its finesse. The email has been painstakingly and meticulously written to sound as real and as urgent as possible to elicit an immediate response. But, there are ways to avoid this particular pitfall. By implementing a quick safety check, employees can, to a high degree of certain, be sure that the source of the email is a legitimate one.
1. Implement a company-wide robust password policy
This one is simple. Don’t make it easy on the hackers. The longer and more complicated the password the harder it is to crack. Also make sure that employees don’t give away the keys to the castle by foolishly keeping their passwords on those oh-so-secure post-it notes that they stick on monitors, laptops and devices.
2. Personally or verbally confirm all irregular or unusual payment and transfer requests. Use established and verified contact information. Do not rely on contact information provided in the email.
When moving money around it is never a bad thing to double check. Indeed, managers and executives are often thankful that you are so concerned with the well-being of the company. Do not use phone numbers shown on the email in case they may be fake or lead to the fraudster. Always cover your bases and make sure that you have more than one source of authorisation especially for the transfer of large funds.
3. Establish a standard protocols and procedures of funds. Be very cautious of any requests that fall outside of these procedures.
Set the rules and follow them ruthlessly. Doing so ensures that not only do you have a clear process of doing things but it also highlights any requests that don’t follow the rules. It allows you to quickly identify suspicious or irregular activities.
4. Be wary of any and all requests for immediate bank transfers, even if it looks like it originated from within your own organisation.
The quick movement of funds is not unheard of in corporate environments. But do your due diligence. Check, double check and then do it again. This is company money we’re talking about here. It is what keeps the lights on and helps feed employees. Protect it at all costs.
5. Be mindful of the tone, language, structure and writing style of the email.
The devil is in the details when it comes to this type of fraud. If possible, review previous similar genuine requests from the same person. Do they look the same? Do they sound the same? Does something feel off? If you raise an eyebrow for even a moment at the legitimacy of the email, call in help or better yet, verify with who it was supposed to be sent from.