FBI Alert: How to Protect Your Business Against A Costly New Email Scam

Mark Van Divner, Chief Information Security Officer, First Republic Bank

March 17, 2015

The Federal Bureau of Investigation recently alerted businesses to a growing and costly threat: Fraudsters are “spoofing” or hacking into businesses’ email accounts and sending out emails to other employees and businesses requesting money transfers. Nearly $215 million was stolen from about 1,100 businesses between October 2013 and December 2014 by fraudsters using this scam, according to the FBI.

The emails appear to be from legitimate senders, such as a vendor or a senior manager of that business. They were targeted at all sizes of businesses, but especially those with foreign suppliers that regularly conduct payments by wire transfer. Because the emails appear to come from authentic sources, the recipients—often business executives or employees with access to the company’s bank accounts—are wiring or electronically sending money to these fraudsters and not discovering their mistake until it’s too late, sometimes after losing thousands or even millions of dollars.

Given this emerging threat, businesses must stay vigilant and take steps to protect themselves. Here are some ways to prevent an email-based financial scam from affecting your business:

Review your internal controls

Businesses should make sure they have the right internal protocols set up to protect against financial fraud. For example, requiring at least two people to perform every external funds transfer raises the odds that a fraudulent payment request will be spotted and averted before it’s too late.

Verify every request for money by phone

Any time someone sends an unexpected payment request via email—even if it appears to come from a legitimate source, such as a longtime vendor or client or a senior manager of the firm—call that person directly on their known phone number to verify that they did indeed make the request. This new scam shows the dangers of relying too much on email, especially for financial transactions.

Have the right security software

Make sure all computers used for work are equipped with anti-virus, email spam protection and anti-malware software that can potentially flag suspicious emails and block malicious attachment or website links, which will greatly reduce the risk of an employee falling victim to such scams.

Consult your financial institution

Your bank is likely already establishing certain controls based on your company’s transaction history and usage. But it can also help you evaluate your current controls and set up new, stronger ones that further reduce your payment fraud risks. For example, if your business doesn’t regularly make electronic payments of more than, say, $5,000 or $10,000, you might request a per-transaction limit that’s slightly higher than that amount to reduce your risk exposure. A quick call to your financial institution will then likely be needed to make a payment worth more than that preset limit—but such measure could prevent an employee from unwittingly sending huge sums of money to a fraudster. Your financial institution can also help you establish “multi-factor authentication,” which provides you and your employees with stronger authentication requirements—such as using security tokens, biometrics or mobile device-delivered one-time passcodes—whenever your business initiates a high-risk transaction.

As technology takes on a larger role in our lives, it’s more important than ever to make sure your business is protected against cyberfraud. Your bank can assist you in identifying and setting up the right controls, so you can rest a little easier and focus on running your business.

First Republic Bank provides a courtesy Internet Security Health Check to its small business customers. An information security specialist comes to the company to review security-related controls—such as Internet browser settings, operating system updates, wireless security, firewalls, antivirus software and spam filters—to ensure proper configurations for optimal protection against malicious activity. Clients can also receive Trusteer Rapport, a highly regarded software program that protects against financial malware, at no cost. Contact your banker for more information.

All information in this report is from sources deemed to be reliable.