You have probably heard about those emails that claim to be from the big boss and which often start off with a line similar to this, “I need you to do something for me.” Frequently there is also a sense of urgency inferred that makes the average worker bee jump to attention when such an email hits their inbox. Unfortunately, criminals have figured out that impersonating a person in authority at an organization, or even a known vendor to whom you may remit payments, often results in action being taken that benefits the criminal. Let’s look at a few different ways this fraudulent scenario may play out, as well as a few tips on how to protect your organization from falling victim to these crimes.
The Email from the Boss
With a quick glance, an incoming email appears to be from the CEO, Joe Smith. Joe is asking you to send a wire of $25,000 immediately to pay for a shipment that needs to go out today. In the email, Mr. Smith tells you he will be in meetings all day, so you sense the urgency and the importance. Mr. Smith was even kind enough to send you all the wire details including routing and account information and the beneficiary’s information. Without a second thought you create the wire and have a coworker approve it in your online banking platform. A few hours later, you see Mr. Smith in the break room and let him know the wire was sent out just as he requested. Your first sign of trouble is the puzzled look on his face. Upon closer review of the email, you see the email came from Jo Smith but your CEO’s actual email address is Joe Smith.
Vendor Payment Details
EHN Company has been a longtime vendor with your organization, and they send invoices via email which you process payment for on a daily basis. EHN’s new employee, Ken Jones, introduces himself via email, and goes on to explain that he has been tasked with updating EHN’s processes and procedures. Through several emails back and forth, you kindly share how your process works and how well it has been working for the last few years. A few days later, Ken sends an email requesting that EHN’s payment remittance information be updated to a different financial institution—with a new routing number and account number. You thank Ken for helping you keep your information up-to-date, and, when the next invoice from EHN is emailed to you, you process the payment to the updated account. A few days later, ENH sends you another invoice claiming non-payment. You inform them that you submitted the payment to the updated account information provided by Ken Jones. ENH responds they did not update their remittance account information, and they’ve never heard of Ken Jones. These are just two examples of how organizations are falling victim to this type of crime which has been coined “Business Email Compromise” or BEC. In both of the previous scenarios, the crime may have been stopped if there were more controls in place.
As you review your internal processes, these are a few questions you may want to ask:
- Who within your organization can request a payment to be sent?
- How are those request sent?
- What approval process do you have for payment requests?
- What procedures do you have in place to update account information for your vendors?
As technology advances, so do the ways that criminals try to infiltrate our systems and access money that does not belong to them. The use of external confirmation procedures and taking a few minutes to ask yourself, “Does this make sense?” could save you from falling victim to this type of scam.