8 Ways Fraud Email Can Compromise Your Back Office
It's easy to fall for one of these fraud email schemes.
![Hackers target Hackers target](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt3d3ca598ed4c44f3/6524575edc359f654e9e78b1/hackers-target.jpg?width=700&auto=webp&quality=80&disable=upscale)
Getty Images
Take a good look at the email addresses of incoming requests. There are many ways to spoof an email address, and you may find minuscule changes compared to the email you already have on record.
“For example, the email might vary by a single character,” Anastasakis said. “It might be the same address, but end in something other than .com. Slow down and look carefully, and you’ll eradicate a good portion of potentially fraudulent requests.”
Fraudsters will sometimes cobble together a convincing email string by cc’ing other parties — a fake approver, manager, etc. — using real names they’ve gathered, along with spoofed email addresses. They may even mention that they’ve copied someone to try to demonstrate authenticity.
“Inspect email addresses of cc’d parties just as carefully as the sender’s email,” Anastasakis said.
Many BEC attacks originate offshore and are written by people who are not native English speakers. If you’re dealing with a U.S. supplier, even slight errors in vocabulary, spelling, grammar or sentence construction may be red flags.
“That’s not to say every legitimate person you interact with will have immaculate grammar, so pay attention to tone as well,” Anastasakis said. “If it’s a supplier you work with frequently, check for subtle changes from your normal communication with the supplier. If something feels off, pick up the phone and call the number on their website before communicating further by email.”
Vernacular is often very localized, and another good way to alert you to a potential issue. For example, in the United States, “check” is spelled just so. If a U.S. supplier uses the British English “cheque,” it’s worth looking closer at the request before moving forward.
These requests will tell you they need to have their bank account information changed immediately. There are all kinds of rationales, such as bank accounts closing or overdue payments. And they typically put a lot of pressure on you to help them out by getting it done right away.
“It’s another way fraudsters play into our desires to help one another,” Anastasakis said. “Take a moment to slow down. If you truly believe the business is in dire straits, call them to discuss further.”
Since all payments are associated with an invoice number, fraudsters often include numbers in their emails to make the request look more legitimate. The numbers may be from older payments, guessed from past invoice patterns, or even made up.
“You should always make sure the invoice numbers match other payment information,” Anastasakis said. “If the number is outdated, not mapping to the right customer, or otherwise incorrect, it’s best to look into the matter before providing further information to the email sender.”
A real supplier is going to know the invoice number and the exact amount of payment. A counterfeit supplier may be guessing numbers from payment patterns they’ve identified or misidentified.
When suppliers provide a voided check with their update request, scrutinize it, Anastasakis said. Some may be more obviously doctored, but others are quite convincing. Take a good, hard look at the magnetic ink character recognition (MICR) line, supplier logo, address, and even the bank, to identify discrepancies.
When suppliers provide a voided check with their update request, scrutinize it, Anastasakis said. Some may be more obviously doctored, but others are quite convincing. Take a good, hard look at the magnetic ink character recognition (MICR) line, supplier logo, address, and even the bank, to identify discrepancies.
Cybercriminals are increasingly using fraud email or business email compromise (BEC) attacks to gain access to companies’ systems.
If they’re successful, they gather information on the company and its suppliers, including payment cycles. They masquerade as legitimate businesses to change contact and banking information, ultimately rerouting funds to their own accounts.
According to Abnormal Security, during the third quarter, attackers continued to focus primarily on BEC campaigns with the goal of invoice and payment fraud. These attacks increased 155% from Q2 to Q3.
Angela Anastasakis is Nvoicepay’s senior vice president of operations and customer success. Nvoicepay is a payment automation provider.
Nvoicepay’s Angela Anastasakis
“[BEC is] a subtle process that preys on a person’s willingness to give others the benefit of the doubt,” she said. “With businesses simultaneously facing other, more direct attacks, BECs can be difficult to detect and nearly impossible to reverse.”
Convincing Emails
Fraudsters specialize in writing convincing emails, Anastasakis said. Accounts payable moves fast and try to maintain good supplier relationships; therefore, it’s easy to fall for one of these fraud email schemes.
“But by slowing down and scrutinizing these requests, there are often tells that can alert you to the sender’s legitimacy,” she said.
A single instance of business email fraud has the potential to cause financial losses in the millions, Anastasakis said. That’s what happened with Toyota and Caterpillar.
“While it’s possible to reverse some payments made to fraudulent accounts, this is not always true — particularly when it comes to automated clearing house (ACH) or wire payments,” she said. “If the bad actors close the account the funds are deposited to, there’s virtually nothing to track, and businesses become responsible for absorbing the damage done.”
You can throw as many security programs as you want at the problem, but it only takes a single well-crafted email or phone call to a well-meaning employee to undermine everything, Anastasakis said.
“The No. 1 thing businesses can do to protect themselves is to offer frequent training to their employees in identifying potential phishing instances,” she said. “Invest in a security protocol for your employees to follow when they encounter any correspondence related to updating payment information, and you will potentially save millions in losses.”
Click through the slideshow above for eight of the most common BEC techniques that fraudsters use.
Read more about:
MSPsAbout the Author(s)
You May Also Like