Fraudulent Emails: What You Need to Know

Many people have heard of phishing emails—a scam designed to trick recipients into clicking links or opening attachments in fraudulent emails that appear to be from trusted individuals or companies. Criminals are now taking this approach a step further with potential for severe financial consequences to businesses.

Have you ever received payment instructions from a boss or vendor on an email? You could be at risk for the latest fraud scheme, the Business Email Compromise. Fraudsters have been very successful in impersonating superiors, peers and vendors to get businesses to send them wire and ACH transfers. According to the FBI, 14,000 US businesses have lost in excess of $961 million due to this scam. Since January 2015, the number of scam attempts has increased by 1,300%.

Email compromise, or masquerade fraud, usually involves the impersonation or takeover of a legitimate email address. They either compromise known parties' emails or create similar looking emails (e.g., johndoe@example.com vs. johndoe@examp1e.com). Very sophisticated criminals will target an executive's email to take over.

Fraudsters will request payments or give new account numbers for future payments. The email requests may look like regular correspondence between you and another party or even be inserted into an on-going conversation. The email requests will often have a sense of urgency, playing on your desire to help your boss or long-time trading partner.

Watch for Fraudulent Emails

Informing your employees about the latest phishing scams can help protect your company from fraud.

  • Fraudulent emails can appear to come from a legitimate source. For example, a well-known company, bank, manager, executive, online payment service or government organization. Be wary of what you read—messages can be very convincing. Scammers register domain names similar to real sites and also copy logos, content and supporting links from real sites. The "From" address can be masked, making emails appear to originate from a company.
  • Be suspicious of any message threatening dire consequences, promising a reward or asking you to provide personal or company information. Ask yourself, "Do you know the sender? Are you expecting a message from this company? Did you initiate action that would result in a response from the organization?" If you don't know the sender or were not expecting a message, it could be phishing.

Tips to Protect Your Company

  • Always verify requests for wire or ACH transfers received by email. Call your vendor requesting the payment using known numbers to validate all requests received by email.
  • Match up requests with known invoices.
  • Use dual approval for payments.
  • Create policies and procedures for ACH and wire transactions for your company.
  • Don't be afraid to question. A one-minute phone call is all it takes to protect your company.
  • Share this information with anyone in your organization with access to make wire or ACH transfers. Ask your employees to be aware of fraudulent emails.

Fraudsters rely on social engineering to prey on the expected behavior of an employee to open an email, click on a link or open an attachment because the email comes from an executive or senior manager.

They also target employees in an attempt to gain information directly from the messages—sensitive or confidential business information could be a treasure trove for criminals. Criminals can determine with whom your company does business then exploit employees by sending them emails appearing to come from their trading partners.

Overall, criminals have found it easier to profit from trusted relationships than try to hack into a company. Exploiting that trusted relationship, whether it is a senior manager, executive or trusted trading partner, is easier by pretending that they are somebody you trust.

Resources

Security Central for Businesses

Contact Us

Call 800-BANK-BBT
(800-226-5228)
.

Locations