A Maine based company recently paid $460,000 to what it thought was a vendor’s account, only to find out that it wasn’t. As a result, the Company lost the whole amount and still had to pay the vendor. How did that happen? The business was victim of a “ghosting” email scam. That’s when a scammer hacks into an email account and takes it over, allowing the perpetrator to pose as the sender and send emails to another party that look convincingly authentic, often even with the original sender’s logo and signature.
In this case, the “ghost” posed as a vendor with whom the business owner was negotiating via email about the amount owed on an invoice. Once the balance to be paid was agreed upon, the scammer sent an email to the accounts payable clerk at the business directing the clerk to change the wiring instructions for the payment to a different bank account. Because the ghosted email looked like it had come from the vendor, the clerk complied — and the business lost nearly a half million dollars.
Beware of “Phishers”
How did the scammer hack into the vendor’s email? Probably through some type of “phishing” activity. Typically, this involves sending an email with a link or attachment to click on for what may seem a legitimate purpose, such as to open a document or learn more about a subject. Once the recipient clicks on the link or document, the hacker can follow every move on the recipient’s computer and take it over when the opportunity is right — as they did in this Company’s case.
Phishing can be difficult to identify. The phishing links or attachments can look totally innocent and legitimate. For example, an email link for a person you know, say John Smith, may actually be the hacker’s spoof of John’s email and the means for getting into your computer. Or the hacker’s URL for a firm you know may have just one character more or less than the authentic URL, and fool you.
Knowledge Is Power
One of the best ways to prevent cyber fraud to make sure that everyone in your company is aware of phishing and other scam techniques. To this end, it helps to conduct regular cybersecurity training programs, so employees become adept at recognizing and preventing scams.
If you don’t already have a cybersecurity program, consider one that’s been developed by experts, such as KnowBe4, Proofpoint, Webroot or any of the others you can find online by searching for “cybersecurity awareness training.” Many of these providers offer free trials, customizable self-study programs, and free security tools, such as phishing simulations to assess employee susceptibility to scams.
Strengthen Wire-Transfer Controls
In addition, make sure you have internal controls in place to prevent wire transfer mistakes. For example:
- Don’t allow wire transfers to pay vendor invoices. You can’t stop payment on a wire — once it’s gone, it’s gone.
- Require any changes in wiring instructions to have supervisor-to-supervisor (typically CFO-to-CFO) verbal confirmation before any money is wired.
- Implement call-back procedures with your bank, so that the bank must call a designated individual (typically the CFO) to review outgoing wires before they are processed.
- Require a list of confirmed wiring instructions from vendors, and specify that no changes are allowed unless they are confirmed verbally supervisor to supervisor.
Check Your Insurance Policy
Fraud is hard to prevent 100% of the time. One critical way to minimize your loss is to have a good, and adequate, insurance coverage. Unfortunately, most business owners don’t pay a lot of attention to the cyber coverage in their insurance policies. We highly recommend sitting with your agent, and even getting in writing, what your policy covers and what it does not. Don’t let this be a surprise if the unthinkable happens!!
Let us know if you have any questions about ways to increase cyber security or strengthen controls in your business. We’d welcome the opportunity to put our knowledge to work for you. Just email me, Bart Haag, or call me at 207-772-1981 and tell me how I might help.
by Barton Haag, CPA