This article was originally published in The Bottom Line, 2019 edition, a CPD publication by the Wisconsin Institute of CPAs
Online fraud schemes have come a long way since the days of Nigerian royalty offering mass sums of money for assistance with facilitating an online transfer. The schemes are now more sophisticated, but the intent is the same — to take your money. There are hundreds of scams going on at any given time. Here are six of the most common today:
1. Vendor payment change request
The accounts payable department receives an email or letter from a vendor providing new ACH payment instructions. Your company doesn’t find out it has been duped until your vendor starts making collection calls, and they inform you that they were not the one that sent the payment change request.
2. Wire transfer request
The CEO is out of town. The CFO receives an email that appears to be from the CEO requesting they send a wire transfer to a new vendor. The message provides the payment instructions and emphasizes that the payment must be made immediately. Because the CEO is out of town, they cannot take a call. The payment is made, and the fraud isn’t discovered until the CEO reviews the banking statement and asks about the large transfer.
3. W-2 scam
The payroll department receives an email from an executive asking for the W-2 report for all employees. The report goes out to the fraudster impersonating the executive. The scam isn’t discovered until employees find out that fraudulent tax returns have been filed on their behalf, weeks or months later.
HR receives an email from a job seeker responding to a position posted online. The email has an attachment. Once the attachment is opened, a message is displayed that all of the files on the computer have been encrypted and to receive the decryption key, the company must pay thousands of dollars in cryptocurrency.
5. Gift card scam
The administrative assistant receives an email from their boss requesting that they buy iTunes gift cards for top customers. The assistant is asked to buy several cards at retail stores, scratch off the card codes and email them to their boss. The fraud isn’t discovered until the assistant submits an expense report.
6. “I know what you have been doing online”
You receive an email claiming that your login credentials have been compromised and that the fraudster has evidence of your questionable online behavior. To add legitimacy, the fraudster provides a recognized password that you use and requests an extortion payment for keeping silent.
How to avoid or limit the damage
As you can see, the most common fraud techniques are varied, but there are steps you can take to limit the damage done by scams or avoid them altogether. These are my top seven tips:
- Verify any request for payment or sensitive information using an “out-of-band” method. Don’t respond to the email. Call, text or walk down the hall to verify the request.
- Provide security training to all employees. Educate them on cybersecurity risks, ways to protect themselves and the company’s data (including how to spot fake emails) and what to do when they believe an error may have been made. Speed of response is critical to limiting the damage. Employees should be encouraged to alert the incident response team as soon as possible, rather than trying to mask or avoid disclosing a mistake.
- Test data back-up and recovery. The average ransomware extortion is nearly $13,000 and results in 7.3 days of downtime, costing another $64,000 on average. Make sure your backup and recovery procedures work so that ransomware doesn’t bring your company to its knees.
- Check to see if your authentication credentials were part of a data breach. Harvested login and password information from data breaches are commonly posted on the dark web. Using the same login and password for accessing the company network as you did with a company that experienced a data breach (e.g., Yahoo or LinkedIn) makes you an easy target for hackers. You can check to see if you have an account that has been compromised in a disclosed data breach at https://haveibeenpwned.com/.
- Use multi-factor authentication and/or unique, complex passwords. Multi-factor authentication (MFA) is a combination of two of the following factors: 1) something that you know (e.g., password or PIN), 2) something you have (e.g., mobile device or security token) and 3) something that you are (e.g., biometric verification). Requiring multiple credentials significantly raises the bar and makes it difficult for hackers to log in to your accounts or networks. If MFA is not available, use long, strong and unique passwords for various sites. Using a reputable password manager can make this an easier task.
- Develop and test an incident response plan. If you fail to prepare, you plan to fail. The actions a company takes within the initial hours of a cyber incident will either decrease or compound the impact. Your plan should include some resources that you don’t deal with daily, namely legal counsel, digital forensics, insurance and public relations. Develop these relationships in advance, document and exercise response procedures to improve resilience.
- Review your insurance. The consequences associated with a data breach, fraudulent online transfer or ransomware could be devastating to most companies. Have a conversation with your insurance agent to understand your current coverage and potential gaps.
The weakest link in internet fraud schemes
Today’s criminals don’t need sophisticated technology to steal your data. Instead, they gain access via the weakest link in your security chain: your too-trusting employees. It only takes one employee, one misstep or one incident to launch a full-blown cybersecurity emergency for your organization. The key idea to keep in mind when it comes to cybersecurity is “trust but verify.” You may think your network is secure, but how do you know for sure unless you test your security measures and arm your employees with the knowledge they need to help protect your organization?
Online fraud schemes continue to evolve. Stay vigilant by monitoring threat intelligence and by continuing to evolve your company’s resilience and ability to prevent, detect and respond to cybersecurity incidents. When it comes to your security, there’s no stone you should leave unturned because when it comes down to it, your company’s reputation, wallet and relationships are at stake.
Wipfli can help you protect your organization and respond to threats. Click here to learn about our cybersecurity services. Or continue reading on:
Five easy (and free or low-cost) ways to increase cybersecurity
Worried about cyber threats? Here are 3 ways MDR can help prevent data breaches
Containing and recovering from cyberattacks: How MDR can prevent you from becoming tonight’s top story