David Shuster of Managed IT Experts in Dunfermline shares his insights on the latest scam
If you received an email from your colleague or your boss, you probably wouldn’t question if it is a genuine message or not. Why would you, and especially if it asks you to take an urgent and business critical action?
That is how the new scam works – by tricking employees to make payments to fraudsters, although they think they are just following their senior colleague’s instructions.
Police, Financial Fraud Action UK and IT security firms are seeing a worrying rise in money-transfer scams delivered via email from fraudsters claiming to be a company boss. Shockingly, it is not unusual for small businesses to lose up to £100k due to email scams. This risk to business is yet another in a long line of so-called ‘phishing emails’, which attempt to steal identities, hijack computer systems or steal from unsuspecting victims.
How do scammers do it?
Clever digital impersonations of senior staff whose companies have not considered their email security are now becoming commonplace, as business systems either get hacked, or criminal gangs do their research on staff email addresses. Online criminals set up what appear to be credible duplicate email accounts of senior finance staff to extract monies from that company’s finance teams via ‘urgent instructions’ to transfer money.
UK crime figures now include online crimes which this past year totalled 7.6 million cyber security breaches. Organised crime is investing in digitally savvy fraudsters who develop software which manipulates the characteristics of an email so that the sender of the phishing email has an address that looks genuinely like that of a business owner, Finance Director, or another person responsible for making bank transfers.
The email will request an instant payment to be made, often outside of normal procedures. It would usually have a critical reason for immediate action, for instance, need to secure a major contract. The received funds are then quickly withdrawn.
Are you protected by your bank?
Cases are being referred to the Financial Ombudsman Service about banks refusing to cover associated wrongful payments with so-called ‘phishing’ expeditions. This means that the costs for business of digital criminality potentially threaten their longevity.
There are a number of ways to protect yourself from spoof emails, which need not break the bank. Most measures are common sense and can prevent the crime altogether, or at the very least be off-putting for opportunistic criminals looking for the ‘line of least resistance’.
A few ways to protect your business from email scams
Apart from the obvious measures of ensuring firewalls and anti-virus software is up to date, there are some practical procedures any business or organisation can adopt to protect against email scams. Here are a few provided by Financial Fraud Action UK:
Anyone receiving such an email, pushing for a swift response, should double check these unusual payment requests immediately. A suspicious email recipient should call the person by telephone who is allegedly making the request, to confirm any instruction is genuine.
Any person receiving such an email should not use contact details listed in the spoof email; check your contact lists, as calling a false number may be calling the criminals directly.
Establish a risk management process within your organisation which documents requests and offers counter-checks for authorising all payments. Detail staff procedures for maintaining evidence and reporting fraudsters.
Any request to make a payment outside of your company’s standard procedures should be viewed suspiciously and treated accordingly.
Ensure IT policy includes measures for ensuring email passwords are as strong as possible.
Look into automated solutions that can offer businesses complete peace of mind, without massive financial outlay.