Business email compromise scams are still a costly force to be reckoned with. And your Finance team can’t afford to let its guard down.
For example, First Citizens Community Bank, which has locations in Delaware, New York and Pennsylvania, recently issued a press release warning its business customers about a new rising wave of email payment scams.
Cybercrooks have been hijacking email accounts and posing as vendors, customers and sometimes even employees. The emails claim that the sender has changed banks and ask that all payments be sent to the new bank from now on.
“If the request is fraudulent, a person may mistakenly end up sending payments via ACH or wire transfer to a fraudster. When this happens, the funds are lost, and the victim will still be responsible for the money owed,” the release stated.
First Citizens urged businesses to “stop, call and verify” all such requests that are made by email. It’s important to use the phone number you have on file for the sender.
The bank’s information security officer, Wendy Southard, told the Reading Eagle newspaper: “Whenever you receive a suspicious email, pick up the phone and call your vendor or your bank. A quick phone call can save you thousands.”
If you suspect that you’ve been a victim of payment fraud, you need to notify your bank and file a report with the FBI’s Internet Crime Complaint Center at ic3.gov.
‘Smishing’ scam
Meanwhile, scams can even show up in text messages on your smartphone.
“Smishing” – a combination of social engineering and phishing – is when a criminal poses as a supervisor or senior leader and attempts to persuade an employee with a “do it right now, or else” text to provide them with goods or sensitive information to commit fraud (including gaining entry to a company’s network).
Because employees are hesitant to say no to their boss, they get talked into doing things they normally wouldn’t do –making a wire transfer or providing anything from gift cards to cryptocurrency to a company/personal credit card or Social Security number.
Just like with the email scam, let your people know that if this ever happens, they should avoid tapping any links in the message and directly contact the person by another means of communication – such as a phone call – to confirm their identity.
If applicable, it’s also smart to check the number the text is coming from against any existing entries for their boss in their contacts. It also might not be a bad idea to encourage employees to check with a co-worker for their opinion on whether the request seems legit.
