What You Can Do To Prevent Wire Fraud
Electronic payment attacks are on the rise, and small-to-mid-sized businesses are the target as more and more look to ACH and electronic payments as means of facilitating business between vendors.
While wire transfer fraud schemes have been around as long as electronic payment methods exist, the pandemic-related shift to remote work led a lot of SMB diving into ACH and electronic payments as an alternative to having to facilitate remote signatures or deposits of physical checks. Losses from business fraud related to email compromise saw a 29% increase in loss-per-victim between 2019 and 2020, and the FBI estimates that only 12-15% of all wire fraud is reported. Add to that the increase in successful phishing and email compromise schemes, and you’ve got yourself a wire fraud epidemic.
Though there have been some gains in the ability to identify and try to reclaim funds, these fraud attacks tend to victimize both payer and payee, as many SMBs don’t have insurance that will cover these fraud attack and efforts to work with the FBI to reclaim funds are often futile or can take years to recover.
We’ve seen our share of businesses targeted by these attacks, and they come in all varieties of timing and complexity. In some cases, attackers will sit in a compromised email box for months (7 months used to be the average) and watch payable history, look for keywords to signify changes in funds, and wait for an opportunity to arise to intercept an invoice and use basic, over-the-counter editing software to change the account information to the bank of their choice. In others, a simple customer list and a generic email address (i.e. “firstname.lastname@example.org”) can be enough to create a mocked up invoice for goods or services that will be paid without approval.
So how do you prevent wire fraud from affecting your business? Not all solutions are overly technical in nature. In fact, the easiest thing to do is to voice verify a change in payment information with your vendors should one come through. One advantage smaller businesses have is that your billing expert is likely familiar with most of your vendors by name, which allows a change of destination or personnel to be recognized. Regardless, use published contact information from a trusted resource, or your own local address book, to make the verification call—don’t trust the phone number on the mocked-up invoice that the hackers sent. Most are smart enough to send that direct dial to themselves these days.
As a vendor yourself, reassure your customers that you will always provide ample notice and secure transmission of any change to payment information, and that you will voice verify that change in information should one occur. We’ve just taken the opportunity to send another reminder to our customers to this effect, so that we can remind everyone to be more careful with their transfers.
Finally, as a technologist, I’d be remiss not to advice taking an opportunity to review your own cybersecurity practices and overall email security. If you aren’t using multi-factor authentication for your email (and internal systems) by now, then you must. Run, don’t walk, to the settings and get them updated. Yes, there may be a cost to upgrade to licenses that allow MFA, but it’s worth it. And it’s basically considered the bare minimum protection if you ever do need to make an insurance claim related to fraud. Simple cybersecurity training for your employees can help your people watch out for bad actors with minimal time or money invested by you.
If you need help with cybersecurity or ensuring that your technology stack isn’t an open invitation to professional cybercriminals, contact us at NetStandard and we’re happy to help take a look.