“As all things technology eventually trickle down to the SMB space, so too have fairly sophisticated, often personalized phishing attacks. The past success of these scams in the Fortune 500 space have arrived in force to the target-rich SMB market.”
– Patrick Torney – eDot
The following article written by: J.P. Morgan
It’s a typical day at the office. An employee receives a friendly reminder email from a vendor they’ve known for years about an invoice coming due. The email is conversational, asks about the employee’s recent vacation, and then reminds the employee that a late payment for the invoice could result in a 20 percent surcharge if not handled immediately.
The employee recognizes their account representative’s name and email address, sees the vendor’s branding in the email and submits the invoice for payment, without giving it another thought. But in their rush to avoid a late fee, they don’t realize the email they just responded to is actually from firstname.lastname@example.org instead of email@example.com—the vendor’s real email account.
In today’s digital age of Facebook and LinkedIn, wire fraud schemes that rely on targeted email phishing have become increasingly common and sophisticated. By finding individuals who haven’t enabled privacy features on their social media accounts and then using that publicly-available data to craft believable, fraudulent emails, criminals trick businesses into quickly sending funds by creating fake, urgent situations. Frequently, victims don’t realize they’ve been duped until they confirm the transfer of funds with a vendor or manager—when the money is already long-gone.
According to the Association for Financial Professionals’ Payments Fraud and Control Survey, the number of businesses reporting wire fraud more than doubled, from 5 to 11 percent in 2013, with wire transfer listed as the preferred method of payment for fraudsters. This is largely due to the quick payment clearing timeline—which is much faster than ACH or check.
As the numbers of victims continue to rise, businesses are fighting back by setting up internal controls and procedures for employees who process payment instructions via email. Ravin Yadav, Vice President for J.P. Morgan Transaction Services and Fraud Expert, says, “Rigorous application of simple procedures such as callbacks and validations go a long way in detecting and preventing a fraud loss.”
To protect your business, ensure all employees handling payments for your business always:
- Validate new payment instructions received via email—even if the email is internal.
- Pick up the phone, whenever possible, and speak directly with the individual requesting a funds transfer.
- Contact the vendor or client directly to confirm any requests for payment method changes, validating the changes are legitimate before processing.
- Carefully review all payments before they are sent and ensure all correspondence is validated and documented in a unified way across your business.
If your business falls victim to phishing or wire transfer fraud, use the event as an opportunity to assess your internal controls. Training your staff on the ways that fraud is evolving is critical. In the fight against fraud, a little knowledge goes a long way.