In my role at First Business Bank, I work with businesses and organizations to optimize and protect their operating cash flow using specialized banking solutions. That includes daily discussions about fraud prevention — tackling it from all angles, including recommending best practices internally and proposing specific fraud-prevention banking solutions.
One of the top frauds perpetrated against businesses is business email compromise (BEC). Coupled with wire transfer fraud, BEC has cost businesses more than $3.7 billion since the FBI’s Internet Crime Complaint Center (IC3) was established in 2000. In fact, the FBI reported that losses from BEC skyrocketed more than 2,000 percent since 2015.
Using the age-old art of deception, criminals use a variety of methods to compromise business email accounts, from phishing emails and social engineering to email spoofing and malware. The BEC threat spans across all industries, organization sizes, and geographic locations. As you can imagine, prioritizing ongoing employee education about BEC and other fraud types helps organizations recognize it and halt it before losing money or improperly distributing employee or customer personal information. That’s why it’s important to emphasize best practices and implement ongoing training.
Protecting your business is a moving target – as new fraud schemes arise, you will need to adjust and add to your protections. Currently, experts recommend:
1. Avoid free, web-based email. Buy a company domain for company email accounts.
2. Monitor corporate social media content, particularly job duties/descriptions, hierarchal information, and out-of-office details.
3. Raise suspicions about odd e-mail requests for secrecy or pressure to take action quickly.
4. Flag requests from vendors, payroll processors, suppliers, and customers involving payments that suddenly change instructions. Always verify changes via phone or outside of email to make sure you are still communicating with your legitimate business partner.
5. Consider additional IT and financial security procedures, including two-step verification and others, such as:
- Out-of-band communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this authentication early outside of email to avoid interception by a hacker.
- Encryption: Entities on both sides of a transaction should utilize encryption to provide a layer of validation and security to messages sent through otherwise non-secure channels, such as email systems.
- Delete spam: Immediately delete unsolicited email. Do not open it, click on it, click on links, or open attachments. These often contain malware that can harm your computer system or steal information.
- Forward vs. reply: Avoid using the “Reply” option to respond to business emails. Forward instead, typing in the email address or selecting it from the email address book to remove the risk of replying to a look-alike email address.
- Consider two-factor authentication for corporate email accounts, which requires two pieces of information to log in, such as a password and a dynamic PIN or code.
- Enact rules that flag emails with extensions similar to company email. For example, legitimate email of xyz_company.com would flag fraudulent email of xyz-company.com.
- Register all company domains that closely resemble your actual company domain so criminals can’t purchase them to commit fraud.
- Verify changes in vendor payment by adding two-factor authentication, such as a secondary sign-off outside email from specially designated personnel.
- Confirm requests for fund transfers. When using phone verification as part of the two-factor authentication, use previously known numbers, not numbers written in a potentially fraudulent email.
- Pay attention to your customers’ routines, including the details and amount of payments.
- Scrutinize all emailed fund transfers to determine if they’re at all out of the ordinary.
It is unfortunate that fraud is such a common occurrence. It is no longer a matter of if it will happen to you, but a matter of when it will happen. Review your fraud health to determine where you have gaps and what you can do to improve your controls.
Fraud doesn’t need to happen to your company. You must be proactive about cybersecurity and talk to your trusted treasury management professional about taking steps to protect your company.
Member FDIC