Beware of Email Payment Scams
Unfortunately, fraudsters are attempting more payment fraud than ever. It is important that employees be extra vigilant and verify any invoice or email that they receive that request a payment(s) be made – particularly if it:
- Is from a new vendor
- Has updated payment account information (i.e., new routing number and account number)
- Has updated payment instructions (e.g., payment must be made a different way than before)
- Is from an internal, authorized party who indicates that the payment is urgent but that they cannot be reached to confirm the payment
It is recommended that you take the extra time to contact the vendor or person requesting the urgent payment at a contact number that you have on file for them … don’t just rely on the phone number from the email or invoice.
Here are some tips:
Check to see if the payment is consistent with earlier payments – including the timing, frequency, recipient, and country to which prior payments have been sent.
- Be suspicious of requests for secrecy or urgency, and emails that request all correspondence stay within the same email thread, such as only use Reply, not Forward.
- Establish a company domain for company email instead of using open source email services such as Gmail. Businesses using open source email are most targeted.
- Look carefully for small changes in email addresses that mimic legitimate email addresses. For example, .co vs. .com, abc-company.com vs. abc_company.com, or hijkl.com vs. hljkl.com. If you receive an email that looks suspicious, forward it to IT for review.
- Program your email system to add "-e" to the end of all external senders' email addresses, thereby flagging email coming from domains that don't match the company domain. This will make it easier for employees to detect fraudulent emails.
- If you don’t need web access to email, turn webmail off as it provides another attack point for criminals. If you must provide web access to email, limit accessibility by implementing VPN or another security control.
- If the request is from a vendor, check for changes to business practices. Were earlier payments by check and they’re now asking for a wire transfer? Did a current business contact ask to be contacted via their personal email address? Is the location or account to which the payment is to be sent different from earlier payments to that vendor?
- Use an alternative mechanism to verify the identity of the person requesting the funds transfer. If the request is an email, then call and speak to the person using a known phone number to get a verbal confirmation. If the request is via phone call or fax, then use email to confirm using an email address known to be correct. Don’t reply to the email or use the phone number in the email.
- Limit the number of employees who have the authority to submit or approve payments.
- Implement dual approvals for financial transactions. If you do not have written procedures, develop them.
- Use a purchase order model for wire transfers to ensure that all payments have an order reference number that can be verified before approval.
- For employees that frequently travel and are authorized to request funds transfers or payments, develop a special way to confirm requests.
- Spread the word. Coach your employees about this type of fraud and the warning signs. Alert receptionists, admins, and others not to provide executive’s travel schedules over the phone to unknown callers. Be suspicious and diligent and encourage employees to ask questions.
- Be careful what is posted to social media and company websites, especially reporting structure and out of office details. Criminals have been known to launch these attacks when they know the CEO or CFO is traveling and therefore not easily available to confirm the request.
- Slow down. Fraudsters gain an advantage by pressuring employees to take action quickly without confirmation of all the facts. Be suspicious of requests to take action quickly.
- Trust your financial institution. If they question a payment, it’s worth a couple of minutes to cooperate with them to confirm it is legitimate.
Executives need to be tolerant, indeed supportive, of employees double-checking requests.
What to do if you are a victim of an Email Payment Scam:
- Notify your bank. Businesses are encouraged to contact their financial institution to report the attack, ideally within 24-48 hours after which it is very rare that funds can be recovered.
- File an online complaint. Businesses that have been victimized by an email payment scam (regardless of dollar amount), are encouraged to file a report with the Internet Crime Complaint Center (IC3) or contact their local FBI office.
- Contact law enforcement. File a police report with facts surrounding loss. Obtain the police report number, date, time, department, location, officer’s name.
- Use a police report to facilitate insurance report (if applicable)
- Document actions taken. Document what happened and what steps you made to attempt to recover the money. Gather any documentation that is helpful.
- Complete an internal review. Businesses are encouraged to conduct an internal review to determine how the attack occurred and if any changes are needed.