The announcement on Monday about fraud activity affecting the Columbia Savin Hill Civic Association (CSHCA) highlights the importance of recognizing money transfer (or wire transfer) scams. This criminal activity affects businesses of all sizes, and both for-profit and non-profit organizations.
The Federal Bureau of Investigation (FBI) calls theses scams “Business E-mail Compromise” (BEC), since the fraudsters often target executives within a company using phishing e-mails, designed to trick victims into revealing sensitive bank account and sign-in credentials (e.g., usernames, passwords):
“At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented… Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals.”
From January, 2015 to February 2017, there was a 1,300 percent increase in financial losses due to these scams, totaling $3 billion. To trick victims, criminals use a variety of online methods including spear-phishing, social engineering, identity theft, e-mail spoofing, and the use of malware. (If these terms are unfamiliar, then you probably don’t know enough to protect yourself.) Malware, or computer viruses, are often embedded in documents attached to e-mail messages — another reason not to open e-mail attachments from strangers.
Forbes Magazine reported in April:
“Fraudsters target the CEO’s and CFO’s at various companies and hack their computers. They collect enough information to learn the types of billing the company pays, who the payee’s are and the average balances paid. They then spoof a customer or, in other words, take their identity, and bill the company with wire transfer instructions to a scam bank account.”
Some criminals are particularly crafty, by pretending to be a coworker, customer, or vendor and by using a slightly altered sender’s e-mail address hoping the victim won’t to notice. This technique is successful more often that you might think. Example: a valid sender’s e-mail address might be johnson@XYZcompany.com, while the scammer uses johnson@XYZcompamy.com. Did you spot the tweak? If not, then you’ve just wired money directly to the criminal’s bank account instead of to a valid customer, client, or vendor. Most e-mail software allows users to view the real sender’s e-mail address and not rely solely upon the displayed e-mail address.
There are several things people can do to protect themselves and their organization’s money. Learn to recognize money transfer scams and phishing e-mails. These bogus e-mails often contain spelling errors (e.g., in the message body) and/or contain a request to wire immediately an unusually large amount of money. Most importantly, the FBI recommends:
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”
Since criminals use text messaging, that means don’t rely on text messages alone either.
Wise organizations realize that they have choices about which of the newer digital payment options to adopt, by evaluating the benefits versus the risks and costs. Often, the payment methods which many people dismiss as “old school” can be equally (or more) secure than the newer digital payment options.