We have seen a sharp rise in attempted financial fraud against companies, where the criminal impersonates a member of the company, a supplier or even a bank to get money transferred to a bogus account.
These fraudulent attacks are often sophisticated and have been well-researched by the criminals. They are expecting to make a substantial theft from your company – tens of thousands of pounds – and will put a lot of effort into appearing as legitimate as possible. These are not amateurish efforts like the well-known ’Nigerian Prince’ email scam.
When they occur via email, a typical attack might be:
- an email that appears to come from a supplier asking for a change to contact details
- an email from an internal co-worker asking to update bank details
- an email from an internal director authorising a payment
- an email from a support company saying your DNS domain has been suspended
Internet email was not developed with security in mind. Without enforced verification, it is straightforward to create a ‘spoofed’ email that apparently comes from a company but was actually from a third party. There are technical ways to reduce the likeliness of this happening, but you must have business processes in place to protect yourselves against fraud.
As such, you should treat all emails that might have a financial component – or which would allow somebody to request a contact change – as unverified. Best practice would be to check instructions twice. Talk to the apparent sender, using contact details that you have on file. Don’t rely on contacts listed in the message itself. Get in the habit of verifying instructions every time.
See the accompanying articles from FinancialFraudAction and from the Metropolitan Police for more details and resources to make your staff more aware of the problem.
Bridge Partners concentrate on protecting our customers by ensuring that ICT systems are securely configured and monitored, actively responding to any new security issues, and by carefully verifying any changes to accounts. As FinancialFraudAction recommend: check twice – or pay the price.
If you want to know more, talk to your support team at Bridge Partners.