Here’s How You Can Avoid the Trap of the Phishing Scheme Looking to Steal Payments
Businesses large and small are familiar with email “spoofing” or “spear phishing” schemes. One wrong click on the wrong link and your firm might compromise its entire computer network and install ransomware or other viruses.
One scheme that is victimizing businesses with increasing frequency seeks to divert payments intended to go to trusted vendors to bank accounts controlled by scammers, who quickly whisk the funds away to locations where discovery is unlikely and recovery pretty much impossible. Cyber criminals might hack into your firm’s system and discover information about your vendors. Or they might hack into a vendor’s system and discovery information about your firm.
Either way, here’s what happens:
- You receive an email purporting to be from a vendor aiming to collect confidential information or change payment instructions. The email may redirect the receiver to provide the confidential information to a link that they control. In addition to financial information, scammers often seek personal identification information such as social security numbers, phone numbers, and addresses.
- Very often, the email tells you the vendor has changed banks or bank accounts. The email is usually sent to employees in executive positions, human resources, or corporate finance who have roles in authorizing or executing accounts payable.
- The email asks your employee to update payment instructions, and ultimately to send funds to the new bank account to pay an outstanding invoice. The second that send button is hit, it becomes almost impossible to find out where the money went or how to get it back.
How can businesses protect themselves from these schemes? Above all, be skeptical, be suspicious, and verify, verify, verify. In practical terms, that means:
- If you receive an email containing new or changed payment instructions, double-check by using the telephone to speak to the person who purportedly sent the email. Notably, many insurance policies contain a coverage exclusion that kicks in if the policy-holder fails to confirm payment instructions through some means other than a reply email.
- Read email addresses carefully! Spoofed emails frequently utilize just a tiny variation from the legitimate email address they have compromised. The trusted address you expect to see is email@example.com. A spoofed email may add, delete, or alter a letter or bit of punctuation in the user name or domain name, often by one minor character — like replacing an “I” or an “l” with a “1” — so the recipient assumes at first glance that the message is from a trusted address. such as
- With many sans serif fronts, even sharpest eye cannot detect the substitution of a capital I for a small l, as in the fourth example.
- Never send account information via email. Not even to the bank.
- Use dual authorization for any ACH or wire transfer initiated with one person authorized to initiate and a second person authorized to approve the transaction. For that matter, minimize wire transfers, period. Unlike ACH payments or credit card payments, which have a dispute and reversal process, wire payments can almost never be undone. Reversing a wire reversal requires the sending and receiving bank to cooperate – which won’t do you any good when the scammers withdraw the funds as soon as they arrive.
- Carefully scrutinize messages from unknown senders and don’t click on links or open attachments from unknown senders. Again, use the phone and to verify.
- Be on the lookout for clues that something is amiss. Many scammers operate from overseas and use English as a second language or with local variations. If a letter purports to be from J.P. Morgan Chase or Capital One but contains awkward or incorrect grammar or spelling, be suspicious. Poor quality graphics are another tip-off. If the PayPal or Netflix logo looks like it was copied multiple times or scanned with a low-resolution scanner, be even more suspicious.
- Finally, help other honest businesses by sharing information about your enemies.
Forward phishing emails to firstname.lastname@example.org and to email@example.com. Banks, internet security providers, security vendors, and law enforcement created the Anti-Phishing Working Group, a group of ISPs, financial institutions and law enforcement agencies that uses these reports to combat phishing. And by all means, pay it forward by reporting the phishing attempt to the company, bank, or organization impersonated in the email.
Stuart Berman served for 28 years with the Department of Justice as a line and supervisory Assistant United States Attorney and as a trial attorney with the Antitrust Division. He has assisted many of the firm’s business clients with presenting fraud cases to federal and state law enforcement authorities, leading to cases where defendants received lengthy prisons sentences and were ordered to repay victims. He can be reached at 301-657-0729 or firstname.lastname@example.org.