October is Cybersecurity Awareness Month, which is a great time to remind employees of the importance of staying alert to prevent business email compromise.
Email fraud isn't new, but cyberthieves are still effective at tricking employees into unknowingly assisting with the crime, like wiring money to a bogus account. In fact, email scams are still the main cause of payments fraud for businesses, affecting 71% of organizations in 2022.1 The consequences of email fraud are expensive. Once the fraudster has their money, it’s not always possible to claw back the funds. In fact, 44% of businesses didn’t recover any funds lost to payment fraud, and 27% recouped no more than 75%.
Getting the message across can be tricky. The advice “don’t fall for scammers” seems like common sense. Email fraudsters are like the wolf in grandma’s clothing, and no one wants to believe they’re capable of being deceived. That’s human nature.
Fraudsters are good at exploiting another side to human nature: A desire to be good at your job. This is called social engineering.
How business email compromise works
- A cybercriminal uses email to impersonate a boss, a colleague, a vendor — someone the employee has worked with.
- The emails have a bogus request for a wire transfer, new log-in credential or an account change for ACH payments.
- Because the employee wants to help, particularly if it’s coming from a boss, there’s a built-in sense of urgency to respond or take action.
The methods fraudsters use to infiltrate inboxes can vary.
- 73% of businesses say they received messages from spoof email accounts. It may have the sender’s name to make it appear at first glance that it comes from a trusted source.
- 54% get fraudulent messages from a compromised email account, which enables the cyberthief to send bogus requests for account changes or wire transfers.
Stepping up your defenses against bogus requests for funds and access to your business email takes a three-pronged approach: Education, procedures and security. Here are some tips and best practices from the experts at Minnwest Bank:1. Train your staff
Make sure employees are well-versed in the different forms of email fraud and best practices to thwart them. Provide trainings to help employees recognize the signs, and how to be cautious and vigilant with any request that comes over email involving system access and payment.
- Be on guard with urgent-sounding requests: Fraudsters create a sense of urgency to trick the employees to react quickly before they have a chance to question the request.
- Don’t click on suspicious links or attachments.
- Look at the sender’s details: Sometimes email fraud originates from an unknown email address or an address remarkably similar to that of which you know.
- Trust your gut: In hindsight, about every email scam has something about it that sets off a gut reaction, that something isn’t quite right, such as the sender has an overly polite tone, or is deviating from their routine.
While training employees to be aware of email fraud is essential, it’s equally important to have protocols that take the guesswork out of putting them into practice.
- Verification: Verify all emailed requests seeking account changes, wire transfers and other sensitive actions. This can be done by pulling up the contact’s phone number — using a source other than the email — and calling to confirm legitimacy. Sometimes, businesses use code words or personal identification numbers by voice as additional authentication.
- Reporting and response: Emphasize the importance of reporting suspicious emails or transactions immediately.
- Response: Make an easy-to-follow checklist for supervisors and other authorized employees to follow when breaches happen.
- Support: Attitude is everything. Waiting for verification is inconvenient, but it’s worth it. Don’t push employees to make exceptions or override procedures. Instead, commend them for being attentive and proactive.
From the information technology side of the house, deploy these best practices to enhance security of your email system:
- Require strong passwords
- Encrypt company email containing sensitive information
- Implement Multi-Factor Authentication (MFA)
- Update anti-virus and malware protection
Minnwest cash management tools
Minnwest Bank’s cash management tools can help you manage your money safely and efficiently. Positive Pay establishes a verification system for ACH and check payments, giving you another line of defense against forgeries. Talk to a cash management specialist to learn how our tools can help you block unauthorized transactions.
Association for Financial Professionals | 2023 AFP Payments Fraud and Control Survey Report