It’s 2019, and I am still seeing the same catastrophes befall businesses in Albuquerque and New Mexico this year that I saw last year, and the year before that. So let me reiterate the nature of these scams, why they are effective, and what you can do to protect yourself.
Scam number one: The wire transfer.
This type of attack almost always originates with what is known as a Phishing attack on your email. It works like this: Someone in the organization receives an email with a link that asks them to sign into their email. The user clicks the link and signs in. Boom, the hackers now have your email address and password.
Next, they wait. Their job now is to observe the user’s position in the company, their access to financial decision makers, their access to vendors or payroll. The goal is to find someone who can wire them money. Remember they are in the user’s email and the hackers employ all kinds of tricks to stay in the shadows, so the mailbox owner never sees the illegitimate communications. One slip up by a vendor or a controller, and money could be wired to a third party across the world, never to be recovered.
What can you do about it? The best thing to do is to prevent the hackers from gaining access in the first place. There is a simple and (so far) effective way to prevent illicit email access called “Multi-Factor Authentication.” You may be familiar with this from your banking website when they send you a code via text message before you can access your bank account.
I can’t emphasize enough how many breaches this one technology can prevent. It’s built into Google Apps and Office 365, so there are few excuses at this point not to turn it on. If you learn nothing else today, learn about Multi-Factor Authentication.
The other recourse is a company policy. Make sure you and all your vendors require phone communication with a known individual before any wire transfers or ACH changes can be implemented. A simple phone call can save thousands of dollars when responding to an email request.