Seven ways to avoid being scammed
Spring is a busy time of year for accountants and, apparently, for scammers trying to trick companies out of millions of dollars. We’ve reported before about imposter IRS agents calling individuals demanding debit card payments of alleged owed taxes to avoid police action or trying to obtain confidential data like social security numbers for identity fraud. The IRS NEVER initiates requests for payment via the telephone, so these scams are fairly easy to detect.
The latest scam attempt involves official-looking business emails that seem to come from an executive within a company (typically the CEO, CFO or owner) to a subordinate requesting immediate wire transfer of large sums, usually to a foreign vendor or bank, for a confidential transaction. The request may also be from a vendor to someone in accounts payable asking for them to change the wiring instructions and other contact information. The email is typically brief and specific, and often includes what looks like a forwarded email from another known executive. The fraudsters are very clever and apparently have access to information such as the executive’s travel schedule or specific information about the vendor. The sender’s email may come from a compromised account within the company or from a look-alike domain that has one or two letters changed. For example, “fortune500.com” might be f0rtune500.com, with a zero replacing the “o.”
According to FBI statistics from 2015, as much as $750 million was lost in the U.S. between 2014 and 2015 to wire fraud schemes. The U.S. Secret Service suggests the figure could be as high as $1 billion.
Unlike mass-email phishing scams, these targeted emails tend to slip by spam traps. They contain email addresses, names of specific company staff and other information gathered from the company’s own website to make them more convincing. The request appears to come directly from a senior executive, making it difficult for subordinate employees to disregard. The perpetrators have researched the company, its executives and the responsibilities of the staff they contact, so the emails are extremely targeted and, therefore, believable.
We have heard from several clients that have been approached with these scams. Luckily, they have detected that something looked fishy and did not comply. In some cases, they called the supposed sending party and confirmed that it was a fraudulent request. However, we know of several other companies in the Atlanta area that have not been so lucky. Per the bogus email, funds were wired to the requested bank where they were quickly moved. Since the banks were located in foreign countries that were not cooperative, the money was lost with no recovery rights against the bank or insurance company. Typically the losses have run over six figures. Many people suspect the funds are being used to fund terrorist activities.
What can businesses do to protect themselves?
- Ensure there are processes in place for wire transfers and other payments that include checks and balances. This could be as simple as checking with the CFO or another designated executive in person to verify that the request is legitimate, or waiting a specific amount of time before any request is processed. Typically, wire transfers should require two approvals.
- In case of vendor changes, pick up the phone and verbally confirm the change. Do not send a reply email since it will never reach the real vendor.
- Ensure that all payments can be tracked to verifiable purchases or orders. (However, we’ve learned that, in some cases, the fraudsters had information about verifiable purchases or orders, and the customer did not realize the payments were not being received until the real vendor contacted them about past due invoices.)
- Ensure that multiple authorizations are required before payments are issued.
- Add multi-factor authentication for communication relating to sensitive issues such as finances. This makes it harder for imposters to pose as company officials.
- Purchase domain names that are variations of your company name. Consider any common misspelling of your name, transposing letters and characters that might be easily overlooked if they were substituted, such as a lower-case “L” (“l”) for an upper-case “i” (“I”) and “E” for “3.”
- If you are contacted and suspect a scam attempt, contact the FBI or Secret Service immediately. Also keep your bank informed, when appropriate.
For more information on how to protect yourself and your company from scams and fraud, contact the partner or manager at WBL you work with, or Laura Speir, partner in charge of client accounting services (email@example.com), at Williams Benator & Libby, LLP.