Protecting Your Business:
- Avoid free, web-based email accounts.
- Monitor content on corporate social media accounts, particularly job duties/descriptions, hierarchal information and out-of-office details.
- Raise suspicion about a request for secrecy or pressure to take action quickly.
- Flagging any request from vendors, suppliers, or customers involving payments that suddenly change instructions, such as asking to route email through a personal email address or payments to a different bank account.
- Consider additional IT and financial security procedures, including two-step verfication.
- Out-of-band communication
- Digital signatures – don’t work with web-based email accounts.
- Delete spam
- Forward vs. reply
- Two-factor authentication for corporate email accounts.
- Enact rules that flag emails with extensions similar to company email.
- Register ALL company domains that are slight variations of your actual company domain.
- Verify changes in vendor payments by adding two-factor authentication, such as a secondary sign-off outside email from specially designated personnel.
- Confirm requests for funds transfers using a method such as a phone call to a phone number in your system, other than email.
- Pay attention to your customers’ routines, including the details and amount of payments.
- Scrutinize all emailed fund transfers.
What to Do if You Are a Victim:
- Contact your financial institution immediately!
- Contact your local FBI office.
- File a complaint, regardless of monetary loss, at IC3.gov.
Best Practices to Mitigate Payments Fraud:
- Always verify the authenticity of the payment request. Call back the person who is requesting the payment from a known phone number.
- Implement a call-back verification process when setting up payment instructions for a new vendor or making changes to payment instructions for an existing vendor.
- Implement dual control and segregation of duties.
- Education is key! Understanding email scams and educating your employees is critical in protecting your financial assets.
- Test your fraud health.
- Implement a cybersecurity policy and review it often.
- Review your business insurance policy. Does it cover financial losses due to cybersecurity fraud?