Here’s a new nightmare for the small business owner: You come back from lunch and afternoon meetings to find thousands of dollars missing from your company accounts. The head of your A/P department reminds you of the email you sent instructing her to send a wire transfer. Your head starts spinning. What email? What transfer? Absolutely none of this sounds familiar! And suddenly, you realize you’ve been had.
The Scam
This cyberscam, known as Business Email Compromise or CEO fraud, is playing out in offices across the country. It goes like this: Scammers pose as the head of a company using a realistic looking email address (more on this below). The email will request employee information or a wire transfer of funds to a seemingly familiar account, except the account details are slightly off, allowing the funds or information to go into a bogus account. All the while, the employee thinks they are doing the right thing by quickly fulfilling the boss’ request. The “perfect crime” is carried out in minutes.
Here’s an example of a bogus email sent to a company called Centrify (image courtesy of CNBC.com*).
Notice the ‘From” email address? The I and F in Centrify have been switched. That’s an easy miss for someone focused on the text of the email and not the details of the domain name.
According to the FBI, incidents of this kind of email fraud are increasing. Since January 2015, there has been a 1300% increase in identified exposed losses, totaling over $3 billion. Victims include social media giant SnapChat and storage device manufacturer Seagate Technology. In these cases, scammers retrieved sensitive employee information and cost the companies millions. If it can happen to the “big guys”, it can happen to you, the small business owner.
Protecting Yourself
Business Email Compromise may sound like a simple crime, but it’s actually quite sophisticated. Scammers have not only created a fraudulent domain that mirrors the intended victim company, but they’ve done their research into who’s inside the accounting department, who can initiate a wire transfer, and how much money is realistic to request. In other words, they are deep into your company by the time you realize they’re there. Making matters worse, if the fraud is not discovered in time, money is nearly impossible to recover, thanks to the scammers’ use of laundering techniques and associates around the world who drain the funds almost immediately after they are deposited. It’s a complicated, complicated network that is nearly impossible to trace. You need to be on your toes.
Here’s what we recommend.
- Warn your employees about scams and train them to identify and report potential frauds.
- Work with your IT team to create an intrusion detection system that will flag incoming emails from domains that are similar to your company’s, but just slightly off. For us, @trustbgw.com, we’d want to flag @trustbwg.com, @trastbgw.com, and so on.
- Also work with your IT team to develop a flagging system for emails in which the “reply to” email address is different than the “from” email address.
- Require two-factor authentication in the company, such as having a second person sign-off on outgoing wire transfers. This will increase the odds that someone in your office gets a hunch that something is off.
- Require that your employees speak with you personally, face-to-face or via phone call, to confirm email requests for transfers of funds or sensitive information.
- Consider revising (and communicating) company policy to explicitly prohibit the request of funds or personal information via email. That way, if a fraudulent email does arrive, your employees will know right away to trash it.
Cleaning up the mess
If you do fall victim to Business Email Compromise, take the following steps QUICKLY:
- Call your bank immediately upon discovering the transfer of funds. Report the fraudulent transfer, and request that they contact the bank where the money was sent.
- Notify your local police department and your local FBI office. Together with the U.S. Treasury Financial Crimes Enforcement Network, they may be able to freeze the funds.
- File a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov, regardless of the dollar amount sent.
- Begin taking steps immediately to prevent another phishing attack.
Cyberthreats take on many forms these days. Do not let one email set your company back. Educate yourself, and take every precaution necessary to avoid a financial and logistical disaster.