For a business of any size, a single hack could threaten the entire company. Precautionary measures can help protect you from financial calamity.
By Zach Rosenberg and Kent Lang
The headlines about rising costs and interests rates are everywhere. But what about the rising costs of scams?
By now, you probably heard a story of someone you know falling for an e-mail scheme and sending money overseas. But unlike the schemes of old, people are not falling for the “Nigerian prince” promising riches. Instead they are victims of schemes that look more like identity theft. How do you know that the person reading the e-mails you send is the person you are trying to reach and not someone who guessed their password?
In a 2019 article, we described a common scheme that became a bigger risk during the pandemic. The Business Email Compromise (BEC) or Email Account Compromise (EAC) scam is still in use today. The FBI has warned of these schemes since 2016 and recently reported that Arizona businesses lost over $22 million to these schemes in 2021 alone.
HOW THE SCHEMES WORK
The schemes are getting more sophisticated. Hackers mine company websites, social media posts, and other public records and even use social engineering to create a profile of their victims. They know which employees are responsible for handling money, authorizing payments, etc. Hackers can often surmise when a contractor is going to get paid and convince an unwitting victim to send money to the wrong account. These scammers can also be manipulative, creating a false sense of urgency by suggesting that payments need to be made immediately. Hackers know that when you are rushing, you are more likely to miss the subtle signs of a scam.
These schemers also know that the longer it takes for the victims to discover they have been defrauded, the more likely they are to get away with the money by moving to into cryptocurrency or transferring it to another account. We have seen schemes where the hacker communicated with both the payor and the intended recipient, with the hacker confirming to the payor that the money was received and telling the intended recipient that the money will be sent “next week.”
By the end of “next week,” when the intended recipient starts asking the payor where the money is and the scheme comes unraveled, the hacker and the money are long gone.
PREVENTION
There are a number of things you can do to proactively prevent these schemes, and ways to react to them if you are a victim.
First, be proactive:
Follow good cyber hygiene. Don’t open links from unknown senders; don’t open any attachments to any e-mails that look suspicious; and don’t respond to unsolicited e-mails, particularly where the sender is pressing to send or receive money and is on a tight schedule.
Use strong passwords for your e-mail and computer systems. Where possible, use two-factor authentication, which will help prevent a hacker from accessing a computer system even if the password is compromised. Always install the latest security updates and use anti-malware software.
Treat any e-mail you receive with payment instructions like it came from a “Nigerian prince.” Always verify payment instructions by phone call to someone you know, using a phone number you have saved or locate online. Don’t trust the phone numbers in any e-mail that calls for sending money somewhere.
Do not fall into the “urgency trap.” If something like sending or receiving money is truly time sensitive pick up the phone or drive over and talk it out in person.
Pay by check. It may be less convenient for you and your business partners, but the hackers will have a harder time (a) getting their hands on the check and (b) cashing it when it is made out to the proper recipient.
Consult an attorney to draft your contracts to set up procedures for verifying payment instructions, payment receipts, and the person responsible if the money is intercepted.
REACTION
React quickly if you discover you are the victim:
Call the banks immediately and let them know of the fraud. Find out if you can claw back the payments.
Contact the FBI to let them know of the hack. They may be able to find the culprit. Even if they cannot, you never know where the money went. Better to tell the FBI it is missing then have them ask, maybe years later, why money from your account went to a known criminal organization.
Call your insurance carrier and find out what coverage you may have for these losses.
If the hacker impersonated you or one of your employees, tell everyone you are doing business with and put precautions in place to double- or triple-check payment instructions.
Consult an attorney to assess your liability or help you get paid.
The law is still unsettled as to who is responsible for these hacks. Is the recipient just out of luck? Does the payor have to pay twice? The best plan is to be proactive and avoid these situations.
A Note to Attorneys. This scheme has succeeded across many industries and professions. Attorneys should be aware that it has been used to intercept settlement payments and could be used to intercept or divert payments from a firm's accounts, including the trust account.
