Cyber-phishing has cost companies hundreds of thousands of dollars-and not just by targeting individuals’ credit cards. Other schemes continue to defraud companies at an alarming rate.
How These Schemes Work
Typically, a CFO or controller receives an email that appears to be from their CEO or an existing vendor. In reality, the email is fake—coming from a fraudster using an email domain or aliased email address made to look like the company’s email domain. For example, bCEO@btcpallp.net is modified to bCEO@btcppalllp.net. During the course of a busy day, receiving and sending up to a hundred emails, the extra “L” in the fake domain email is difficult to spot. If the company does not have the proper controls in place to prevent money from being sent, this could result in a big catch for a phisherman.
In the case of the impostor CEO, the email correspondence directs the CFO or controller to wire money overseas as soon as possible and includes the wiring instructions and associated account information. In the case of the vendor, the email directs the company to update the wiring instructions and to use a new deposit account. Once the funds are transferred, the money is immediately removed from the account by the fraudster and the account is closed. In addition to the financial loss, what causes so much concern with this particular scam is that the perpetrator appears to:
- have identified the individuals responsible for initiating, approving and authorizing wire transfers;
- know the dollar thresholds for authorizing a wire transfer; and
- have accessed email, calendars and voicemail systems.
Here’s the scary new twist: One construction CFO received an email from the CEO that was a fake, requesting a wire transfer. Having the proper procedures in place, the CFO walked down to the CEO’s office to verbally confirm that the request was legitimate. The CEO was in a meeting, so the CFO went back to his office only to find a second fake message indicating the CEO was in a meeting and please go ahead and send funds. The cyber-phisherman had gotten into the company’s internal messaging system and was able to tell when the CEO would be absent from his desk. Fortunately, the CFO and the company had controls that prevented such a transfer without written approval.
Following are a few warning signs to look for.
- The email domain is similar to the actual company domain.
- The email contains a sense of urgency.
- The email may contain improper grammar.
- The request is for first-time vendors or a change of existing vendor account information.
- The request is made to employees who are relatively new to the role or new to the organization.
- The dollar amount requested to be transferred is just below approval authorities.
- The business does not have operations or vendors overseas where the funds are requested to be transferred.
- The email directs the recipient to code the payment to miscellaneous expense or professional services.
A contractor might think its organization would never be lured to fall for such a phishing scam given the warning signs above. But beware, corporations, law firms and agencies, including the FBI, are reporting this same scam from all types of companies and across all industries with a high success rate.
What to Do When Hooked
If the wire transfer has been initiated by an approved company employee, there is not much chance of recovering the funds. The bank is not held liable as long as it follows the proper protocols. Once the fraud is discovered, contact the bank’s fraud department immediately and direct it to stop the payment and freeze the recipient account. Typically, the funds are cleared out within hours of the transfer, so acting fast is imperative.
It’s possible to recover all or a portion of the loss through insurance. Review the firm’s insurance policies and contact the carrier to determine if the appropriate coverages exist. It may be necessary to file a report with federal and local authorities in order to submit a claim.
How to Prevent Getting Caught
Because the funds are so difficult to recover, prevention is the key to not falling victim to this scam.
- Require vendor approvals. Have strong vendor acceptance procedures that include verifying the vendor and any changes to the vendor master file, including wiring instructions. Require validation of new banking information.
- Require payment approvals. Make sure all supporting documentation is in place prior to initiating a wire transfer of funds, including invoices, purchase orders and a substantiation of a valid business purpose. Consider having positive confirmation or second-level approvals for amounts exceeding specified thresholds.
- Frequently train and communicate with accounting and finance staff. Raise awareness of this scam by discussing it with staff and sharing the associated red flags with the accounting department. Train personnel on the controls in place to ensure proper authorization and payment.
- Update IT controls. Be sure firewalls, anti-virus and spam filters are up to date.
Keep in mind that phishermen are out there looking for an unsuspecting catch. Their new lures are so life-like and tempting, but don’t take the bait.
Justin Snell is a director in Bennett Thrasher LLP’s disputes, valuation and forensics practice, and Scott Hazy is a partner in the firm’s financial reporting and assurance department. For more information, visit btcpa.net.