The one topic, as of late, that tops the list of incoming phone calls to our Privacy and Data Security practice seems to be from a client reporting that either:
- The client paid a bogus invoice to a fraudulent account as a result of a communication from someone who looked just like a trusted payee; OR
- The client’s long-standing, regularly-paying customer has been strangely behind a couple of months on making payments to the client. Upon follow up, the client finds out the customer received a change in payment instruction reportedly from the client via email and has been sending the client’s payments to another banking account via ACH.
Inevitably, in either case, the payment account is bogus. The recipient failed to check the validity of the email requesting the change in payment practices, such as a new bank account, or possibly moving to ACH or EFT for payments instead of mailing checks. The recipient might have recognized the sender’s name, email address and even observed the expected company branding and logos in the body of the email and signature line. But, rather than pause, place a call or verify the request and account validity, the recipient quickly makes the change and the payment is sent. Frequently, clients aren’t aware of the theft until it’s too late. The consequences are harsh, as getting the money back is not always easy to do, if at all possible. While there are sometimes remedies through bank action or even law enforcement, the speed with which such payments are made and money is removed make it difficult to make a company whole again.
Why is this happening?
There is no one reason this is happening, but the common themes I am seeing include:
- Stolen or easily guessed email credentials. Hundreds of data breaches and dumps have occurred over the years exposing our passwords on the dark web. This, combined with the fact that most people use the same password on every account they maintain, make it easy for bad guys to guess your online credentials, including any online email services providers, such as Office 365.
- Social engineering. If your business is successful, you are both busy and chances are your employees believe in providing prompt customer service. Both the eagerness to please and the speed of work make such a mistake easy to make.
- Lack of training. As with any other security risk, a lack of policy and training on those policies are often at the core of any exploit. Companies are not writing policies and procedures or training employees on how to spot such suspicious requests. Or, even more simply, many companies do not limit or restrict authority to make changes in payments.
What should you be doing?
In addition to the standard practices of using strong/unique passwords and two–factor authentication and implemented written policies and procedures, your company must take steps to harden its financial practices. Anyone within your organization with the power to authorize payments must be trained to:
- Don’t trust, and always verify. Always verify new payment instructions received via email, even from addresses that appear to be internal.
- Pick up the phone! Make it a company policy to always verify changes in payment instructions over the phone or in person.
- “Turn your key.” Require a second person authorize all payments or changes in payment practice, as a matter of policy. Think of it as a second key required to launch a missile. This is a fitting analogy because once that money is gone it is most likely not coming back.
- Make your policy known to your payers. Communicate your policy with your paying clients, specifically notify them of the only ways your company accepts payments and how any change in that payment process will be communicated. This notice could be in the header or footer of your email signature line or on any invoices (i.e. “We will never request payment or make changes in payment instructions via email. Please contact us at 800-555-1234 with any questions on payments to our company.”)
Lastly, people love to focus on the technology aspect of this issue or would like to call this a “cyber” security issue because of the email or spoofing aspect that might be involved. As a result, they may see the solution as expensive, or difficult to implement. I disagree. This is all about old school policies, procedures and training your people to be alert, follow policy and when they see something, take a pause and make a good decision. Because now the risk cannot only cost you data and increase your liability, it can take money right out of your pocket with a single click.