Announcer:
As a bank that focuses on business, we work with business leaders all day, every day. We have a front row seat to what's working and what has potential. The First Business Bank podcast is dedicated to sharing insights to help you work better, smarter, and faster to achieve your goals. Let's get into the show.
Mark Meloy:
Hello, I'm Mark Meloy, CEO of First Business Bank. I'd like to welcome you to another episode of the First Business Bank podcast. Today's topic is business email compromise. This is an important topic, and one that every business owner and leader needs to be vigilant with. Today I'm joined by three of my colleagues, who will introduce themselves. Theresa, we'll start with you.
Theresa Wiese:
Thank you, Mark. My name is Theresa Wiese, and I'm the Managing Director of Compliance and Risk Management. I've been with First Business Bank for 27 years, a long time. And uh, my team, uh, manages fraud, um, suspicious activity, um, compliance, and then other risks to the company.
Mark Meloy:
Thanks. Dawn.
Dawn Wilcox:
I'm Dawn Wilcox, uh, Director of IT Security and Compliance. Um, I am celebrating my 25th year at the end of this year with First Business Bank. Um, and so my area, we focus exclusively on IT security, um, a plethora of, uh, security issues and then also on the IT compliance side.
Mark Meloy:
Thanks. Kim.
Kim Preston:
Hey, good afternoon. Kim Preston, I am also a longterm, uh, veteran with First Business, 28 years. Um, I am the Milwaukee market Treasury Management leader. Uh, I lead the sales team, uh, for the Milwaukee market region, and so our goal is to work with clients and assist them in utilizing tools that we're gonna talk about today, as far as fraud mitigation, um, how to, uh, limit risks and, and create efficiencies for our clients.
Mark Meloy:
Thanks. So Dawn, I want to start with you.
Dawn Wilcox:
Okay.
Mark Meloy:
What are we talking about when we say this is email compromise?
Dawn Wilcox:
Okay. This is email compromise, um, it uses the all important email system as a medium to commit fraud, just in general terms. Criminals know that we work in our email systems all day long, and therefore, it's easy to get our attention when a new email comes in, especially if it's from your CEO, for example. So, one type of business email compromise is called CEO fraud. This is where the criminal poses as the company's CEO and sends an urgent email to an employee to initiate a funds transfer, for example, albeit the funds transfer goes to an account that is owned by the criminal. The problem comes in when the urgency con- conveyed in the email compels the employee to act quickly on the request, and they ignore company established procedures and protocols designed to prevent such incidents from happening in the first place.
Dawn Wilcox:
So, there's two ways that criminals primarily use to pose as a company CEO. The first way is they use an email address that appears to be from your CEO, however, the email address is slightly amiss in its spelling. So for an example, an email from someone at pizza.com may actually come in with a, with pizza misspelled with an extra Z, for an example. And we all know we're really busy all, all day long. So if you don't look very closely at the address, you may never notice that the difference is in the spelling of that word, and criminals are counting on this happening because we're all such busy people during the day.
Dawn Wilcox:
The second way is where the criminal has duped the CEO into provided their user ID and password. Usually, it's in response to an urgent email that they received from Microsoft that says, "If you don't log in right now, you're going to lose access to your Microsoft account." Well, who wants to lose access to their Microsoft account, right? So, it's a very authentic looking web page that comes in then, and it appears where, um, where the CEO then logs in to protect their access to that account, but unknowingly what they're doing is the criminal has just harvested their credentials, which gives them full access to that account, who now can control all incoming and outgoing emails from that CEO, including manipulating that email conversation between the criminal posing as the CEO and the person who's actually doing that funds transfer for them.
Dawn Wilcox:
Another type of popular, uh, business email compromise is called the bogus invoice scheme. And this is where the criminal pretends to be a supplier or vendor of the company, and they send an invoice with an altered payment instructions. Sometimes they may even include a friendly reminder on the invoice that their routing number and account number has recently changed, albeit the account is owned by the criminal. So, similar methods are used to pose as the supplier or vendor as are used in the CEO fraud scenario, such as using a slightly different domain name, an email address, or the supplier/vendor's credentials have already been harvested. So, these are the two most common types of business email compromise that you hear about today.
Mark Meloy:
Thanks, Dawn. Theresa, can you give us some examples of the things that Dawn was talking about?
Theresa Wiese:
Sure. So um, un- unfortunately, uh, at First Business Bank, that is one of the biggest, uh, frauds that we're seeing. Um, and we've actually seen, um, uh, a bit of an uptick, uh, in 2020 as it relates to business email compromise. And really I think Dawn, um, explained it very well in that, um, uh, an employee of a company has their email compromised. Um, they may have clicked on a phished site and entered their credentials, and then the fraudster then kind of watches, um, the traffic, um, and if they see bank account numbers or, um, personal information, they'll harvest that.
Theresa Wiese:
Though, um, we've seen a fair number of incidents in which an employee, typically it would be, um, someone in a finance department, an office manager, someone that may be responsible for either approving or generating, um, accounts payable or paying invoices, and um, they will get an email saying, "Hey, we just changed banks, so here's some new payment instructions," and an ACH or a wire will be originated and could be two, three days or two, three weeks, um, be aware that the person that originated the, um, funds doesn't realize that the, uh, funds were actually sent to a criminal. And, uh, what usually happens in those situations is that the, the real vendor, so the vendor that they, um, have engaged and do, normally do work with will say, "Hey, you're past due on your invoice," and then that's when they call First Business Bank. And unfortunately, it's too late, uh, because the funds have been sent electronically, whether it's a wire or an ACH, and we're no longer able to get the funds back for the client.
Mark Meloy:
So, how, how common is this?
Theresa Wiese:
Well, I, um, actually pulled, um, some numbers for, uh, First Business Bank. Um, clients that we've had, we've had, um, last year, we had 27 cases, um, for the thwarted amount. So the amount was $1,400,000 roughly. Um, but that's not the losses. So, the good thing is, is that we have lots of, um, mitigants in place, um, and our clients do as well, to, to mitigate the risks, but the amount, um, that was thwarted was a million four. The actual loss, uh, for our clients was $45,000. So, that's the good news, is that we are able to, um, stop a lot of this from happening. Um, now that was 2019.
Theresa Wiese:
2020, uh, year-to-date, as of, um, November 30th, um, is, uh, is the same number, so 27. Um again, last year's numbers were year, for annual. The potential loss was also a million four, so running really about the same, but the dollar losses were almost $500,000 because there were some very large ones that were authorized, and by the time the clients realized that they had paid the fraudster, we were no longer able to get the funds back.
Kim Preston:
You know, to add something onto what Theresa said, um, you know, as far as the, the email compromise, a lot of times when the email's coming from the CEO or the CFO or whatnot, they don't really question it as much. So that's why a lot of times, they'll react right away, because the mana- you know, the CEO is saying, "Hey, get this wire out immediately," and so, you know, they react because of who's sending it, and, and kind of forget that they're not, you know, going through their normal processes, as far as getting correct controls and, uh, uh, dual controls, um, in place or whatnot, because of who's sending it to them. So, I guess that's one thing, if anything, that really try to emphasize is, you know, does that email that's coming from the president or the CFO, is that kind of the typical format that they would send? You know, how are they signing it? Um, so some of those kind of things to look at.
Kim Preston:
But again, people I think get alarmed when they see, oh, you know, the president's saying I gotta get this out the door now, and so they react.
Theresa Wiese:
Yeah, and that's, that's an important point, Kim. Um, Dawn, Dawn pointed this out as well, that there's always a sense of urgency. Um, and I will say that those large losses that we saw, um, were because, uh, people circumvented their normal procedures and their normal policies, um, because someone of, you know, at executive management asks me this request, or so they thought. So, that's an excellent point, that there's a sense of urgency and there's the circumvention of normal procedures or controls.
Mark Meloy:
Yeah, I think it's important as we, as we have this conversation, we're really talking to the leaders of our clients or prospects, or really any business that they really have the, the tone starts at the top as it, as it pertains to taking care of the company's treasury, so to speak, right? It, that, that need to go, work fast, to be efficient, to please those that are asking cannot ever trump safe and sound practices and staying within that preset policies that our clients, many of which have set.
Mark Meloy:
And time after time, over the years, it's, it's kind of the same thing in, in the sense that people went outside of normal procedures or they worked against sort of their own original intuition. This didn't seem right. It seemed odd, but it was coming from the president. It was coming from this person or that person, and they act, um, in sort of the spirit of, you know, pleasing the boss, so to speak, and not really thinking about the, the extras. And you know, there's, y- you gave some statistics. What's, what's really not in there though, is there's times where it's been thwarted on our end simply out of the fact that it just was, that it was out of the ordinary for us and how we deal with the client, right. And so, maybe nobody thought about it first or thought enough about it first at the client level, but when it got to the bank, it was sort of like, this isn't you guys normally do it. You know, we have other processes in place, and I know two of which we'll get to in a little bit here.
Mark Meloy:
But, um, Dawn, maybe that's a good segue for [inaudible 00:11:28]. What things, um, put companies at risk in this regard?
Dawn Wilcox:
Yeah. So, I, I think that there's three buckets, um, to take away from here, some information. Um, the first one is lack of the employee training that happens, um, potentially. You know, how to spot a spoofed email like the one that appears to be from your CEO. Just being very cognizant and just monitoring your emails and just always looking for the exception or the thing that just doesn't look right, feel right, you know, just doesn't seem right to you. Always question something like that. Um, the other thing is how to spot a phishing email, um, one that appears to come from Microsoft, um, saying, "Hey, you've gotta log in here or you're gonna lose your access to your account." Um, so that's where they're harvesting credentials.
Dawn Wilcox:
Think about the emails that you get from your IT department, your support department, and decide, you know, do we, do they normally send out these emails? Do I normally get these kinds of emails from Microsoft that asking me to log in? Always question something like that because it's probably, uh, probably something that's trying to be phished on your behalf.
Dawn Wilcox:
And then the other thing is, um, training on the importance of adhering to company policies and procedures that we've already talked about, the ones that have been designed to protect your organization. Um, even if it's an email from a CEO, um, you can't be faulted if you question it l- legitimately if it just didn't feel right, doesn't sound right. You're asking me to bypass policies and procedures. I think there's an appreciation, um, on any level to make sure we're following those procedures because they're meant to protect the company.
Dawn Wilcox:
Um, the next thing is, uh, really important, is lack of using multi-factor authentication. Um, everyone, almost everyone uses Office 365 today, which means you can log into your email account from anywhere within the world, anywhere. And that means anybody can log in, as, as long as they get your password. So it's imperative to implement multi-factor authentication to add that second factor of identification for you, other than just a simple password, because simple passwords, as we know, it can be easily intercepted, they can be guessed, um, they can be gleaned from like your Gmail account if you're using that same account for your network account or your Office 365 account. Um, there's many, many ways of getting hold of passwords, and so passwords are just not enough. Multi-factor authentication is just so critical in this time and age because of these types of risks that happen all the time.
Dawn Wilcox:
Once a criminal has unauthorized access to your email account, as I mentioned, they can go undetected sometimes indefinitely, and then this also allows them to impersonate and direct others through that email communication since it's such, such a widely used medium for business. So, they can basically take over a business, um, just by having access to critical email accounts.
Dawn Wilcox:
And then the last thing that I would want to point out is, um, lack of email filtering technology and end point threat detection technology. Those two items, um, what they do is one of them can proactively detect spoofed emails, so if you get an email that looks similar to your CEO's name, these kinds of systems can pick up on those anomalies and raise red flags for you to investigate to, to know that somebody's trying to spoof your CEO, for instance. And the other thing is then, um, end point threat detection technology, and that's blocking suspicious activity altogether or Mal- or Malware that may be present. Um, just being able to pick up on those things is just so critical for any business to have in place.
Mark Meloy:
Good, thanks. So, Kim, I'm gonna go to you now. You're the, you know, front lines, face-to-face with clients and prospects every day, all the time. What, what are the things you're talking about with them on ways to reduce risk?
Kim Preston:
So, it's, uh, to piggyback on what Dawn said earlier too, it's all about education. So, when we're meeting with clients, it's something we talk about regularly, as far as the fraud trends that are out there, um, so that they're sharing that across their teams. Um, and I actually like to sa- share actual stories of fraud occurrences. I mean, obviously not sharing names of clients, but real life occurrences that we've, um, had in the bank itself, as far as clients that have been impacted, because that tends to resonate more with clients when they are, when they see, oh, it, it really does happen. It, because it's not a case of if it happens, it's when it's gonna happen.
Dawn Wilcox:
Exactly.
Kim Preston:
Because it's inevitably, everyone's gonna be impacted at some point. So again, it comes back to the education. You know, does your staff, um, are they educated on the current trends? Um, do they know how to detect, you know, an email scenario? Do they know to question, um, you know, when the CEO, if they do get an email from the CEO requiring an, a wire, which is out of their realm, do they know, hey I should question this? And I, I need to pick up the phone and, and either call, you know, the CFO or call the client or, or whatnot. So again, email is not the answer when you want to verify something. It's physically picking up the phone and talking to an individual.
Kim Preston:
Um, we had a case, you know, with a, a client uh, a whi- a while back, a wire fraud, um, when they were dealing with a client overseas, and because of time zone change and, and whatnot. Um, and again, the, the president is actually the one who initiated the wire, um, received a request, uh, with different bank instructions. Didn't question it, uh, because it was a, an invoice he knew was due, um, and, and whatnot, but initiated the payment. And his reasoning for not picking up the phone was the time zone change, uh, because it was in, he was, it was, uh, calling China. So, picking up the phone is probably the best, uh, rule of thumb, as far as physically talking to someone to verify something before you're letting the dollars go out the door.
Kim Preston:
Um, no, the out-of-band, uh, au- authentication is super important, another thing that Dawn talked about, um, because it's just that extra layer of security before, you know, the funds are going out the door. Tho- everyone in the company should be under, understand what the policies are, as far as payment. Not just the people that are dealing with it, but um, that everyone's aware of what, what's going on from a policy standpoint when there is a fraud incident, what to do, who to contact, who to get involved. Um, so that's what, I guess, the biggest thing is we try to educate. When we're meeting with clients, we're continually telling them what's going, what's new in the world as far as fraud, what's the recent, um, experiences we've had with other clients. Um, because real life, again, like I said, real life examples is, is very telling.
Theresa Wiese:
Yeah. And I, I would add two very, very simple things to, to what Kim has said as far as education goes, and one is, um, so picking up your, the phone, but calling a phone number that you have, uh, that a client has on their own system, not using a phone number that maybe is in a spoofed website, and not using a phone number that's in the-
Kim Preston:
Good point.
Theresa Wiese:
... communication, whether it was email or otherwise. So, use a phone number that, that you've got on your system. And, and then the, just the other thing too, um, as I pointed out earlier, you know, some, sometimes the bank can recover funds, but you have to be really fast. So, um, checking your account, clients checking their accounts every day and just, you know, questioning things that may not look right, like wait, why did we send, you know, that $10,000 wire out when that was not something that we expected to do? So, um, so it's really, it's about being, uh, proactive at calling and it's about looking at your account, looking at the activity as quickly as you can and calling us if you think that there's a problem, calling the bank, because we have been successful, um, at getting funds back, but the more time that goes by, the less likely we'll be able to recover anything.
Mark Meloy:
Yeah. We talk, uh, I, I used the word vigilance at the beginning, and that's really true. A- some of it is just kind of old fashioned, the way you used to do business. You've got to keep doing business that way, even in this world of, you know, more technology and speed of service and speed of delivery, but it still is pay attention to your accounts, you know, what's going in, what's going out. Separation of duties and responsibilities within your company, as well. All these different things where, and you, you know, an appropriate backup when people are off, sick, on vacation and what have you. They're really, kind of really simple things too that matter.
Mark Meloy:
So, if I can ask, uh, you know, one more question here, uh, and Theresa I'll start with you on this, is, you know, what should a company do when they, when they realize they are a victim? You, you guys touched on it a little bit.
Theresa Wiese:
Well, yeah, yeah. No, great, great question. Thank you for asking. Um, it's really call the bank, um, ASAP. Don't email. Call. Um, also, there, you know, um, it, it's gonna depend a little bit of on who the victim is, but um, the FBI, um, gathers all of the information, um, on a website called IC3.gov. And um, and their, they have been successful as well at recovering funds. Um, so, um, reporting an incident on IC3.gov. Um, and then, you know, um, contacting local law enforcement. You know, unfortunately, that, I mean that's an important thing to do. Unfortunately, law enforcement isn't always able to do that, but I would say the IC3.gov, um, can be very effective.
Mark Meloy:
Well, Dawn, Kim, and Theresa, thank you for taking the time to share your thoughts and experiences with our audience today. And to you, our audience, thanks for listening on our conversation, and we hope you found this topic helpful and applicable to your company. Let us know if there are other topics or information you'd like to learn more about, and join us next time on the First Business Bank podcast.
Announcer:
If you want more content like what you just heard delivered straight to your inbox, go to FirstBusinessBankPodcast.com. And if you haven't already, make sure to subscribe to the First Business Bank podcast wherever you listen to podcasts. If you're listening on Apple Podcasts, please leave a quick rating of the show. Thanks so much for listening. First Business Bank, member FDIC.