Situation: An email was received by an employee of a company to wire funds in the amount of $16,400 for professional fees. The email request came from the manager of the company; however, it was a spoofed email and the request was fraudulent. The email requested that funds be wired out to an individual to pay for an invoice. Thinking the email request to send funds for an invoice was legitimate, the employee of the company unknowingly communicated with the fraudster in an effort to get approval for the request. In reviewing the details on the email communication, it came up as an unknown email address. An internet search was conducted on wire beneficiary and found at least one criminal record.
Potential loss: The potential loss for this scenario was $16,400, including confidential account information listed on the check. A company should consider the cost of their time to contact law enforcement, close the compromised account, open a new account, contact existing vendors with automated payments of new account, and review internal procedures.
Defense: How can companies avoid this threat? Out-of-band authentication includes contacting the manager of the company via phone or in person to verify legitimacy of the request. Also, contact vendors via a channel other than email, such as calling a known phone number (not one supplied in the aforementioned request).