Why you should always double check new bank information
This June we published a new security awareness video to remind employees to always double check account numbers when paying out invoices. We have a good reason to focus on cyber security awareness for finance divisions as we have heard multiple first-hand accounts of fraudsters sending out bogus invoices. They have also been known to worming their way into correspondence and taking over as soon as there is a mention of invoices or payment.
The amounts stolen in this manner can range from a few thousand dollars to hundreds of thousands. Perhaps not surprisingly, there is very little that local authorities can do about it. International law enforcement usually doesn’t investigate these matters unless the amount is considerable. Even then the chances of getting your money back are slim to none.
How it’s done
A finance division employee’s computer or a client’s computer might have been compromised by various means. Most likely it was done by a phishing or spear phishing email containing malicious links or attachments. Through that a hacker gained access to the employee’s email correspondence and could follow it closely. They can even glean the individual language and slang of the user. When an invoice is sent out, the hacker grabs that email and sends out another email with their own account information. If the employee on the other end is not vigilant the sum will be paid out to the hacker and not the rightful receiver. When this is discovered the hacker has covered their track and is gone with the funds. This is why companies need to pay special attention to cyber security awareness training for finance division employees. There is a lot to loose.
Trust no one
It might sound cynical to say this but when it comes to invoices and account numbers, we should trust no one. Not even invoices issued in the name of companies we’ve been dealing with for years. If email accounts have been breached (or even if someone has gone through the company’s trash) it is possible for hackers to send out bogus invoices in the name of trustworthy companies. The only thing they’ve changed is the bank information for payment.
If the account number is the same as usual and has been paid to before without incident, it should be safe to continue with the payment. If a company suddenly changes its account number or you are making a payment to a new company the safest protocol to follow is to call that company directly and double check the invoice and the account number.
Find the number to call through the company’s official web page or an official directory. Don’t trust any information provided in an email until it has been verified that the sender is who they say they are.
Not even your boss
It’s not always invoices in the name of another company that are sent out. Sometimes it’s important emails from a boss or a very high-ranking individual within the company such as the CEO or the CFO. They demand that funds be moved from one account to another ASAP. Such frauds are also known as CEO scams or Whaling.
No matter how urgent they might sound, or how often similar orders might have come in the past, such emails should always be verified with a phone call. A good CEO should encourage such vigilance from his employers. It means that the effort spent on cyber security training for the finance division has paid off. And it could wind up saving the company considerable sums.