A relatively sophisticated scam called masquerading (also referred to as Business Email Compromise) has emerged and the FBI estimates that losses to businesses as a result of this fraud were more than $1.2 billion worldwide. That number could be much higher since losses often go unreported. Let’s take a closer look at how a masquerade theft is implemented and learn what a small business owner can do to protect the corporate cash.
What is a Masquerade attack?
It’s a type of fraud that involves tricking an internal employee who has access to company funds into ordering a wire transfer from the firm’s bank to a third-party account. More specifically, it’s a payments scheme where a fraudster impersonates a company executive or outside vendor to request a wire transfer through a phone call or email to a company controller who has the authority to wire funds. The email or phone call seems legitimate so the controller will usually follow through with the transfer.
Why are employees fooled by bogus email requests?
Many cyber criminals are professional thieves. They do a little research to find out the name of a high-level executive. Then, they hack the company’s email system and send an authentic-looking, but phony email from the executive. The bogus email address is only slightly different from the CEO or CFO’s real email address. It might have just one character deleted, changed or added so the employee doesn’t notice the fake address.
Scammers may also attempt a similar attack masquerading as a vendor the company already does business with to request a wire transfer.
Prevent Masquerading Fraud
Defense against cybercrime tends to be a low priority for small business owners since they often assume their business would not be on a scammer’s radar. However, according to the Association of Certified Fraud Examiners’ 2014 Report to the Nations on Occupational Fraud and Abuse, small businesses are victimized more than any other business size category. Nearly 29 percent of cases reported came from small businesses.
An email, or even a phone call from someone claiming to be the CEO, should not be enough for a large financial transaction to take place. There should be a process in place to ensure all the details of a transaction are authorized. Here are some measures to implement for added protection:
- Develop an approval process for high-dollar wire transfers and include approval from two or more executives.
- Use multiple means of communication to verify wire transfers are legitimate. If a request comes via email, then confirm it with a phone call and vice versa. Use known phone numbers, not the numbers provided in the e-mail request.
- Require a purchase order number to send money to vendors. This model requires all wire transfers to match a purchase order reference number, which provides another layer of control by requiring verification of a previously approved request.
- Implement intrusion detection for the company email system to flag extensions similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
If You ARE Attacked, Here’s What to Do
The most important thing you can do is act quickly.
- Contact your financial institution as soon as the fraudulent transfer is discovered. The sooner you report loss, the greater the likelihood of having the funds retrieved.
- Contact your local FBI office if the wire transfer is recent. Working with the US Department of Treasury Financial Crimes Enforcement Network, they may be able to provide help freezing the funds.
- File a complaint with the Internet Crime Complaint Center www.ic3.gov, identifying your complaint as “Business Email Compromise.” For a list of the information you should include with the complaint visit this FBI alert.
You can find more information on safe business banking and the contact information for our small business team on our website.
