Here’s How to Protect Your Office Against Fraud

Phishing and business-email-compromise (BEC) schemes are on the rise, causing losses in the $50,000 to $100,000 range to small businesses across the United States. More than a third of organizations said they received an email from someone pretending to be a senior manager or business partner.

New research from insurer HSB reveals an increase in suspicious emails targeting small businesses across the United States over the past year. According to the study, employees nation-wide are falling for phishing schemes asking them to transfer tens of thousands of dollars in company funds into fraudulent accounts.

58% of business executives polled said suspicious emails had increased in the past year. More than a third of the polled organizations received an email from someone pretending to be a senior manager or vendor requesting payments.

In a key finding, almost half of employees receiving fraudulent emails took the bait and responded by transferring company funds, resulting in losses most often in the $50,000 to $100,000 range (37 percent) and rarely less than $10,000 (only 11 percent).

In addition to those direct financial losses, there are losses associated with damage to the company reputation and diminished customer trust. History has shown that these hidden costs appear later down the line and are often much greater than the initial damage.

The scam is convincing because cyber thieves in many cases gain access to business email accounts and assume the false identities of company managers. With millions of Americans working remotely from home since the outbreak of the coronavirus, business email schemes could become an even bigger threat.

Prevention
It’s more important than ever to employ good cybersecurity practices and thoroughly vet requests for payments. Fraudsters prey on organizations with a lack of fraud knowledge.  Employing Multi-factor authentication (MFA) on your email system prevents 99.9% of attacks to it.  Also, active participation in the ICS Security Awareness program will help your employees stay up to date on the tactics attackers are using now, and keep your employees prepared to defend your network, system, and bank account.
Additionally, since payments of any kind are received, processed, and sent by your employees, you will want to ensure that there is an authorized and safe workflow to follow before sending money to anyone.

For example, your company policy can be adjusted to note the following:

• Confirm directly with vendors their direct deposit information and their invoices.  Always follow up with the vendor using the known phone number, not a phone number included in the request.

• Any emails requesting the creation, change, or processing of wire payment instructions should be verified by phone. Employees should use a dependable verification channel, such as a telephone number from an employee directory, to validate new wire payment instructions because hacked emails could contain fraudulent contact information.
  

• Train accounting employees to make sure that the name and information listed on all invoices are exactly accurate. Fraudsters may create a fake organization with a name that is very similar to one of your vendors. In that case, small details can signal that the invoice is fraudulent. Educate those in accounting and other relevant departments on vendor impersonation and other forms of fraud to watch out for

• Require at least two individuals, ideally in different departments, to sign off on payments to reduce the risk of fraud and collusion. Routinely audit financial records, looking for signs of vendor impersonation and other types of fraud.

Talk to an ICS representative now to secure your email systems with MFA, and to request additional guidance on updating or creating an IT Security policy to properly protect your company.