Bogus e-mails promising ways to make a quick buck have been around for years (e.g., Nigerian e-mail scam). But criminals’ tactics are improving. We are seeing a dramatic rise in electronic payment fraud, particularly in the manufacturing sector, but across all industry segments.
See the recent Wall Street Journal article, Hackers Trick Email Systems Into Wiring Them Large Sums. According to the article and the FBI, companies across the globe lost more than $1 billion from October 2013 through June 2015 as a result of such schemes.
A common method hackers are using, called “spear-phishing,” is targeted at individuals and involves a working knowledge of the organization (e.g., CEO’s vacation schedule, a vendor, etc.). This intelligence makes it more effective than traditional “smash and grab” phishing schemes.
An example of a spear-phishing scheme might look something like this:
For this example, let’s say the CEO is Jennifer Johansson from Acme Company. The hacker sends an e‑mail, appearing to be from the CEO, to the controller with a request to send a wire transfer. The incoming e-mail address comes from what looks to be a personal e-mail address (email@example.com) or an address that looks substantially similar to the CEO’s business e-mail address (firstname.lastname@example.org). In both instances, the e-mail is coming from an actual e‑mail address, just one that does not belong to Jennifer. This message is typically sent while the CEO is traveling for business or on vacation.
The request is followed with specific wire transfer instructions to pay a vendor, who in some cases is a current vendor of the company. To the controller, the e-mail and wire instructions look legit, so the payment is made. It may be several days or weeks until it is discovered that either the vendor didn’t exist or payment was made to an account that was not the vendor’s. When it is discovered, it becomes a very expensive lesson in cybersecurity.
So what can you do to avoid this type of an attack?
Train your employees. Conduct formal cybersecurity training for your employees on how to protect themselves and your business. See Stay Safe Online for ideas.
Don’t broadcast your travel schedule. Executives, and especially CEOs, should not use an automatic “out of office” reply for messages coming from outside the company. Hackers can use a broadcast initial span e-mail as a reconnaissance tool to find people who are out of office to target for an attack. Also, travel information should not be shared on social media channels.
Authenticate payment requests. Set up internal policies and procedures that prohibit making payments without a secondary authentication. The secondary approval should be made through a different communication method than the first. In our example, the controller should have either spoken with the CEO or used a text message to authenticate the request. Because the request was sent via e-mail, an e-mail response to authenticate would not be acceptable.
Talk to your bank about enhanced security features. Your bank should be able to recommend options to reduce risk. One common method is to set up dual controls (i.e., one person can set up a payment request, but another needs to approve it before it is processed).
All businesses should be on high alert and consider the preventative methods suggested above, especially employee training. This would also be a good time to have a conversation with your business insurance agent about the cybersecurity coverage for first-party and third-party damages.
If you have questions or want more information about cybersecurity, please contact Jeff Olejnik or your Wipfli relationship executive.