Beware of wire transfer fraud
Millbury Savings Bank is looking out for your business. That’s why we want to let you know about a fast-growing scam to defraud small businesses. In fact, two of our business customers were targeted in just the last two weeks alone, and other area financial institutions are reporting similar attempts.
Instances of wire transfer fraud are being committed through schemes called Business Email Compromise, or BEC. Here’s how it works.
- A scammer “spoofs” or changes the header on an email to disguise its true source, making it look like it’s coming from a business owner or executive.
- The spoofed email is then sent to an employee of the business, and appears as though the business owner/executive is asking the employee to make an urgent wire transfer.
- The employee is tricked into executing on the fake wire transfer request.
Unfortunately, once money is wired to another account, it’s usually withdrawn quickly and is nearly impossible to recover. Here are some things you can do to help protect your business assets from BEC:
Set up controls within your business to validate any wire requests through multiple communication methods (for example, confirming all emailed wire requests with the requestor by phone via a known, legitimate phone number and not one supplied in the email) to ensure that the requests are authentic. Also consider process controls that require multiple approvals of wires, particularly above a specific dollar amount threshold.
If a request seems unusual or unexpected, encourage employees to ask questions by reaching out directly. Also encourage employees to double-check the email address in the “from” line. Though emails can be spoofed to show an owner’s or executive’s name, the actual sending email address may still be visible. When in doubt, ask. Better safe than sorry!
Strengthen the company’s IT structure to flag or altogether block certain external emails. Make sure all devices and systems are password-protected, and change passwords often. Keep anti-malware and anti-virus software up-to-date to avoid unauthorized access to computer networks, where criminals can get ahold of legitimate emails about billing and invoices that they can use as a model for their scam.
Besides email, this same scheme can also take place by text or social media messaging. Other variations have tricked companies into giving out such sensitive data as employees’ W9 information. The bottom line: Be extra vigilant with any out-of-the-ordinary or unverified requests.
For more information, read the article from PricewaterhouseCoopers about this and similar types of wire fraud.