You have the best employees around. When you’re in a pinch, you can lean on them to assist and get things done.
Someone else is aware of how great your employees are. No, they're not recruiters, they're cyber bandits. By exploiting your employees' conscientious work habits and eagerness to step up, these bandits use trickery and deception to fool them into wiring money — sometimes in amounts that reach six figures — to a sham account, only to take the money and run, never to be heard from again.
And it all starts with an email from the boss that looks convincingly legitimate.
This form of cyber espionage is known as business email compromise (BEC). According to the FBI’s Internet Crime Complaint Center, internet theft caused $2.7 billion in financial losses in 2018. While internet trickery targets both individuals and businesses, the latter sustains the most significant dollar losses.
How business email compromise happens
In a nutshell, this is how cyber bandits manage to pull off these heists.
- First, cyber thieves case the company, getting to know who the executives are, along with back-office staffers with access to the finances.
- Next, they infiltrate the company’s email system, so they can quietly spy on their victims. By studying vendors, purchasing trends, the CEO’s communication style and travel schedules, they’re gathering the information they need to launch their attack.
- Then, they attack. Often, the fraudsters send a spoof email that appears to come from the someone in charge (the CEO or CFO) requesting an immediate wire transfer to a familiar vendor. But instead of going to the vendor’s actual account, it goes into the cyber criminal’s account, a detail that could be easily overlooked. Because it looks like the real thing, and because the request appears to be coming from someone higher up in the company, the employee approves the transfer, and by that time it’s usually too late the damage has been done.
When this occurs, most banks will do everything they can to get the stolen money back, or stop the transfer from happening if possible. However, once the money lands in the account, the fraudsters act quickly to withdraw it or convert it to cryptocurrency — and it’s just gone forever.
Preventing cyber theft in your business
It’s easy to think you’re either too small to be on the radar of cyber thieves, or too smart to fall for their tricks. The truth is, many cyber thieves see smaller businesses as ideal targets because they’re often easier to breach. That and a bit of optimism bias may be at play here as well. Your best line of defense is to fraud-proof your organization. To build your fortress, and safeguard your business, here are some of the things you’ll need to do.
Identify vulnerable targets
Cyber thieves are looking at who’s in charge at the company and who has the authority to access and wire funds. Make a list of the top bosses (including managers and board members), along with back-office employees who have access to money.
Bolster computer security
When it comes to securing the company computers, installing security software, with regular anti-virus and anti-malware scans, and installing updates can do a lot to safeguard your systems. Use email authentication technology that quarantines emails of suspicious origin and attachments for review.
Examine BYOD protections
If you’re like many companies, BYOD (bring your own device) creates a new wrinkle in bolstering cyber security. Sometimes, it’s a matter of convenience — an after-hours email check-in is much more convenient by mobile phone, rather than opening the company-issued laptop. But when these lack security software and firewalls, that leaves your email system more vulnerable to attack. Safeguarding systems while accommodating employee preferences can create a tricky proposition for employers. That’s where solutions like mobile device management technology along with two-factor authentication come into play.
Educate employees on safe data practices
Everyone with an email address is on the front lines against a cyber attack. That’s why it’s crucial to educate and train employees on the dangers of phishing attacks, and how to recognize the surefire signs of suspicious links and email attachments. All it takes is one click, and your email system is invaded without anyone being the wiser! It’s important to reinforce these messages frequently throughout the year so that these practices stay top of mind with employees. Especially employees who may frequently request wire transfers as a part of their routine job duties.
Punch up password practices
Best practices in passwords are critical because cyber thieves are masters at cracking weak codes. Strong passwords requiring 10 characters and at least one symbol, number or capitalization — passwords not used elsewhere — can go a long way in locking out cyber thieves.
Close the gates
Tighten the number of people authorized to transfer and withdraw funds and authorize wire payments. Or, consider a dual approval system — one that requires a second person to review the request before completing the transfer, especially when they exceed a specific threshold.
Adopt a "measure twice, cut once" mindset
Once the money gets sent to fraudsters, it’s impossible to undo the action. By adding steps that verify both the origin and the destination of the money request, you’ll be set up to detect fraud before it’s too late.
- Vendor verification: Pick up the phone and speak with a representative at the vendor, ideally an already established contact.
- Authenticate the request: Before releasing funds, confirm the requester’s identity with a phone call, video conference or even a texted PIN from a designated mobile number. (By the way, never distribute or store PINs anywhere on your computer system.)
- Delay, if necessary: If the request can’t be authenticated, create a policy that empowers the employee to put the request on hold.
No one likes adding procedures to a payment process that’s designed around speed and convenience. But think of it this way: Is the convenience worth risking your working capital and the business itself? Because this form of theft can strike without warning, taking these steps can pay off in the long run. It’s important to protect your business from a potentially significant fraud loss that can be preventable with the right procedures in place.
Minnwest Bank’s cash management services give you the tools you need to streamline your business, but with the security assets to reduce your risk. Learn more by meeting with a commercial banker today.