Q: Where can I report people that are sending my company fake wire transfer scam messages?
One of the fastest-growing Internet banking scams that specifically targets businesses is a very clever form of wire transfer phishing fraud, according to Heartland Financial, the parent company of over 90 community banks.
The typical scenario involves a member of the accounting department getting an e-mail message from what appears to be the CEO, CFO or other high-ranking executive within the company requesting a wire transfer be prepared.
The scammers generally study their victims before the scam so they know the names and e-mail addresses of the people in the company most likely to be involved in accounting processes.
The variations that I’ve seen over the years always spoof the sender’s address, so if the recipient isn’t paying attention, they simply assume it’s a legitimate request.
In some cases, the request will come while the CEO/CFO is out of town to minimize the chances that an offline conversation would expose the scam (credit social media posts for this ability).
Despite clear red flags like strange salutations or improper grammar, enough accounting departments have fallen for this scam to encourage the scammers to increase their efforts.
The popularity of social networks such as LinkedIn and Twitter makes the research portion of the scam much easier and some have speculated that a press release or news story can be the initial attraction to targeting a company.
If someone in your organization falls for these clever social engineering scams, it could be very costly.
“The reality is that when this happens, if it goes more than a business day or two from the time the funds are sent, we never get the money back,” Greg Normington, vice president of treasury management and product manager for Heartland, said.
There are a number of places that you can report the scam messages, but the sheer volume of this type of activity makes it pretty unlikely that much will happen.
My accounting department recently received a scam wire transfer request message that claimed it was from me, so I had them play along so we could get the bank name, account and routing numbers that the scammers were attempting to use.
With this specific information, I contacted the listed bank by phone and emailed the information to their fraud department, but later found out that the best way to report the information is in person at a bank branch — not of your own bank, but of the bank being used by the scammers.
We determined that the account number was valid, but not whether it was setup by the scammers or a legitimate account that the owner didn’t realize had been compromised.
As a preventative measure against this growing scam, it’s highly recommended that all businesses setup dual controls or other extended approval methods as it pertains to wire transfers to minimize the chances of being scammed.
Another thing to consider is moving away from e-mail as an interoffice communication standard as it’s the most common threat vector these days.
Private networking and messaging platforms are plentiful and worth considering for all organizations.