When the controller of a California business received an email from the CEO requesting an immediate wire transfer to a vendor, the transaction seemed routine. Only after the money was sent was it discovered that the vendor was not due such a payment. And worse, the funds had not been received.
An investigation revealed that the sender of the request had been a thief using an email address misleadingly similar to the targeted company’s top executive. The supplied banking credentials were actually those of the crook’s account in China. Acting quickly, the controller called the overseas bank to see if the payment could be canceled. What he heard allowed him to breathe a sigh of relief: Because the funds had arrived on a Chinese bank holiday they had not yet been credited to the thief’s account. The company was able to recover its funds.
Costly Fraud
While our opening story has a happy ending, most businesses targeted by so-called Business Email Compromise (BEC) fraud are not so lucky. Of the 11% of respondents in a recent survey from consulting firm AP Now reported losing money to such fraud, only 3.2% recovered all the stolen funds. The fraud is increasing rapidly as thieves have learned to cleverly disguise C-level executives’ identities.
“Crooks know it’s very, very easy for people to miss slight changes in email addresses,” said Mary S. Schaeffer, AP Now’s president (ap-now.com).
Reports from the FBI, the IRS and other agencies show that cyber fraud poses a growing threat to businesses. While many thieves want money, others want data such as company marketing plans or customer information for identity theft. Losing control of the latter can be especially costly.
“The extent of liability for customer data loss depends on the severity of the incident,” commented Diane D. Reynolds, partner at New York-based McElroy Deutsch (mdmc-law.com). “Not only may a breach require notification under state and possibly federal regulations but there are also costs involved with the ongoing need to monitor the results of the breach, cleanup the system, and deal with negative public relations.”
It isn’t just the large companies that are at risk. “Criminals often target smaller businesses because their protections are typically not as strong,” explained Schaeffer. “They are likely to have older, unsafe technology and lack the security personnel to keep software updated.”
Fueling the rise in cyber fraud is the growing digitalization of business transactions, a long-term trend given further impetus by a greater reliance on electronic communications during the Covid-19 pandemic. “Flaws in firewalls and Virtual Private Networks (VPNs), as well as in videoconferencing systems have exposed more businesses to incursions,” stated Robert M. Travisano, an attorney in the litigation practice of Epstein Becker Green (ebglaw.com). The rapid expansion of devices on the typical employer’s computer network has given cyber actors still more opportunities.
The pandemic has increased risk in another way: “More people are working at home, sharing business computers with family members,” said Eric Jackson, Consultant in the Cybersecurity team at Withum (withum.com). “This has created some serious security breaches.” Not only do users log onto malware-infested sites they would not access at work, but family members may accidentally open email attachments that install damaging programs.
Electronic Payments
Wire transfers and ACH (Automated Clearing House) transactions are juicy targets for cyber thieves as the business world moves away from paper checks. “The right procedures can help spot electronic payment fraud before the money goes out the door,” added Schaeffer. “That’s much better than trying to recover what’s been lost.”
The key to protecting your digital transactions is effective “procedures.” Security experts say most business fraud stems from social engineering—a thief’s skillful engagement with a company employee. “Social engineering is responsible for 70% to 90% of all successful digital breaches,” said Roger Grimes, a consultant at security firm Knowbe4 (knowbe4.com). “Yet the average company spends less than 5% of its cybersecurity budget to fight it.”
Training the staff in preventive procedures can stem such fraud in the bud. To obviate BEC fraud such as the one in our opening story, for example, businesses can require that wire transfers be validated by a means other than email. “Validation should be done by either picking up the phone and calling the executive using a known number, or if feasible by walking over to that individual’s office,” recommended Schaeffer.
The pandemic has made this kind of verification more difficult. “Calling and verifying sounds easy in the abstract, but it can be exponentially more difficult when people work from home,” explained Schaeffer. “Sometimes the right person is not readily available because of their schedule.”
Adding to the risk is the fact that home workers often have less than ideal technology. “Accounts payable people have become accustomed to using two screens,” said Schaeffer. “When they get sent home, they may only have a laptop with a single small screen.” The result of this technology mismatch can be costly errors. “Just trying to enter data by going back and forth between applications takes longer and can create confusion.”
The above conditions can lead to security breaches when targeted employees are pressured into quick action. “Thieves will often request transactions when they know people are more likely to be overworked or harried,” suggested Schaeffer. “Employees need to be warned to be alert for such requests that come in late on a Friday afternoon, at the end of the month, or anytime when thieves think they can trick somebody into failing to properly verify a transaction.”
Protect Accounts
Good procedures can also guard against a variation of social engineering in which a caller, pretending to be a customer, requests bank routing numbers to pay an invoice. “People are often only too happy to give out such information because they want to receive money,” observed. “However, rather than using the provided information to wire funds into the account the thief wires funds out.”
Businesses can obviate such wire fraud by requiring account information be communicated only by designated individuals who directly dial the paying company using known telephone numbers. “Another solution is to establish one bank account dedicated to wire transfers, and use it only for inbound transactions,” advised Schaeffer. “At the end of the day, money from that account can be swept into the business’s regular account which the bank has flagged to reject any wire transfers.”
In a reversal of the above fraud, a thief pretending to be a vendor will send an email providing routing numbers for a new bank account where all future payments are to be made. The account, of course, belongs to the thief. “This type of fraud is exploding and I cannot caution you enough to be careful,” warned Schaeffer. “You need to get to the right person to verify that the request is legitimate.” Again, verification should be done over a voice line using a known telephone number.
Schaeffer cautions that calling to verify changes in bank accounts or email addresses will only work if a company’s records are accurate. “It’s more important than ever to enter valid contact information in the master vendor file when it’s first set up, and then update it regularly.”
Wire transfers are not the only electronic payment method at risk. Thieves can also use stolen Automated Clearinghouse (ACH) numbers to steal company funds. Banks offer a number of services to stem losses. An ACH block will prohibit all ACH transactions for a specified account. An ACH debit block prohibits only transactions initiated by payees. An ACH filter allows ACH debits only to those on a designated list of names. An ACH alert triggers a notification when an ACH debit arrives, enabling a staff member to accept or reject.
“I suggest putting ACH debit blocks on all accounts where debit activity is not needed,” said Schaeffer. “Limit ACH debit activity to one or two accounts and check those accounts each day. Businesses have 48 hours’ time to notify the bank of any unauthorized transaction.” (Consumers enjoy a 60-day notification window).
Damaging Malware
This article has discussed some of the fastest growing security breaches stemming from social engineering. Experts also suggest businesses take the following measures. These actions can help reduce the chances of being hit with ransomware, a form of malware which requires targeted businesses to make costly payouts to either regain access to encrypted data or prevent the release of business information to competitors:
1.) Beware malware-ridden emails
Phishing emails trick recipients into clicking a link to a toxic website or opening a compromised attachment. The result is the installation of a keylogger software that collects keystrokes for critical bank account information.
Solution: Train employees to handle all emails with suspicion.
2.) Update hardware
Old computers and routers offer access points for hackers. “Anything older than say 15 years was designed without security in mind,” suggested Jackson.
Solution: Replace old equipment with new models.
3.) Patch software
Outdated versions of operating systems or office programs are riddled with security bugs. “Unpatched software is involved in 20% to 40% of all digital breaches,” stated Grimes.
Solution: Update operating programs with the latest versions.
Insurance Policies
No business can eliminate the risk of cyber fraud. The right insurance though, can lessen the blow when a breach occurs. “Insurance can protect businesses from so-called ‘first party risk’ of their own losses,” said Reynolds. “Policies can also protect against losses to third parties such as customers and vendors, obviating lawsuits against the insured company.”
Even the best insurance policy is no substitute for operating procedures that help stop cyber theft in its tracks. Employees from the CEO on down need to be trained on the most effective responses to thieves who are skilled at social engineering.
“The one piece of advice I have is to be suspicious,” recommended Schaeffer. “Make sure everyone knows that if something looks a little odd, or if someone asks for something out of the ordinary, speak up. It’s better to go overboard on security than to go the other way.”
Cyber Defense Quiz
How solid is your cyber security program? Find out by taking this quiz.
Score 10 points for each “yes.” Then total your score and check your rating at the bottom of the chart.
____ 1. Have all personnel been trained on security protocols, including correct handling of suspicious emails?
____ 2. Do changes in a vendor’s or customer’s bank account information for e-payments require verification by voice telephone call to a known number?
____ 3. Do you require non-email validation of wire transfer or ACH requests?
____ 4. Have you established one bank account dedicated to wire transfers and blocked such transfers on all other accounts?
____ 5. Have you limited ACH debit activity to one designated account?
____ 6. Have you established ACH filters, blocks and alerts where appropriate?
____ 7. Do you regularly update vendor master files?
____ 8. Have you replaced hardware older than 15 years?
____ 9. Do you regularly patch software programs?
____ 10. Have you taken out a comprehensive cyber insurance policy?
What’s your score?
80 or more: Congratulations. You have gone a long way toward securing your company funds and data.
Between 60 and 80: It’s time to fine tune your security procedures.
Below 60: Your business is at risk. Take action on the suggestions in the accompanying story.
