By Bahar Fergeson
Technology continues to change the way consumers interact with their financial institutions and handle their financial needs. It is no longer necessary to set foot in the bank to handle the vast majority of daily banking activities. Not only has this shift caused financial institutions to look at ways to remain engaged and create a positive interaction with its customers, but the increased reliance on, and use of, technology for financial matters has opened the door to scammers to take advantage of this increased comfort with financial matters being handled with little or no face-to-face interaction.
While the imposter coworker-sent, vendor-sent or customer-sent wire transfer emails have been around for years, the FBI released an alert in early 2017 addressing the surge in fraudulent wire transfer request scams. According to the FBI, the last seven months of 2016 experienced a sharp increase in this email scam. From October 2013 through December 2016, these scams amounted to $5.4 billion in requested funds.
While the increase in awareness and education has increased over time, the 2013-2016 period resulted in over $2 billion of collected funds worldwide as a result of these efforts, with over $1.5 billion being U.S. victims alone. The result of such transfers can lead to extensive pain, frustration and clean-up.
These scams take a variety of forms. They may be from an actual hacked or compromised account — literally coming from the user’s email box — or they may be from accounts similar enough to not raise a red flag to a rushed employee responding to a seemingly logical request. Sometimes they masquerade as coming from a coworker. Other times they may come through as a vendor or supplier requesting payment for product or services. Additionally, they have been known to come through as a trusted advisor — banking, legal, real estate, etc. — dealing with “time sensitive” situations geared to cause the receiver to act more quickly and overlook more potential red flags than he/she may otherwise notice. As long as thieves are having some financial success, this scam is likely to continue. Therefore, it is important to determine the best ways to minimize the chances of this occurring in your organization, or in those of your customers, by taking steps to educate and proactively minimize the risk of falling victim.
A non-exhaustive list of suggestions is:
1. Educate. When people know this is a problem, they are more likely to be skeptical of any request to wire money than they would have before becoming informed. It is also important to constantly inform other employees and your IT provider of any suspicious emails or telephone calls you receive. The greater the knowledge, the lower the success of such scams. If you are a victim, reporting the situation immediately to the financial institution as well as the FBI is needed.
2. Slow down. In accordance with education, when people are asked to process payments, wire money or even open attachments or review documents accessed through provided links, it is incredibly important to determine the authenticity of the request. While the grammar quality has generally increased significantly, often slight variations in the wording or grammatical style of the writer may serve as a red flag. Additionally, when the thief is using a similar email, but not a hacked account, slight variations in the email may be the trigger. For example, if the email handle is @abc_corp, a quick look may not recognize the email coming from @abc-corp. By slowing down and considering the request, it allows the employee to determine if there is anything strange about the request they may not notice if they are simply rushing to complete a task. If you have questions, pick up the phone and call the individual or the company making the request to ensure authenticity. Remember, call the number you have for them, not the number provided in the email.
3. Implement a two-step process. This can be fantastic for financial transfers as well as the release of other sensitive information (W-2s, etc.). Whether as simple as picking up the phone or walking down and getting verbal or written approval, or implementing a hold process with the financial institution in cases of wire transfers for secondary approval prior to the sending of funds, a second layer may help reduce the chances of the success of these scams and the subsequent losses to the company. Just remember, replying to that email causes more problems and is NOT an appropriate second step.
4. Switch to a company email. Skip the free web email programs and create your own emails tied to your domain. Additionally, have a password reset process in place requiring the changing of passwords regularly. This will help fight against being hacked and having fraudulent emails come directly out of a legitimate mailbox. Many programs have a harder time replicating an email signature, which can be a great red flag when receiving a scam email. However, this is not the case if they hack into your actual mailbox. So, diligently changing passwords and maintaining a strong password will help minimize the odds of getting hacked that way.
5. Protect information. Be wary of oversharing on public forums because scammers are creatively building these scams based on the job role or function, key transactions (i.e., real estate purchases, legal matters, etc.), wording and word choice of individuals, the hierarchy or job roles of specific individuals, knowledge of events or vacations to improve chances to be deemed authentic, etc. These pieces of information can create emails that are much more difficult to spot as being suspicious, therefore resulting in a greater number of individuals following through with the fraudulent request. It is important to be wary of what information is shared and available to anyone with an Internet connection.
As the scammers and potential thieves continue to become smarter, it is essential we do the same in order to better protect ourselves and our companies.
Bahar Fergeson is president of Wasatch I.T., a Utah provider of outsourced I.T. services for small and medium-sized businesses.