Email fraud doesn’t always look like fraud. More often than not, it can look like a legitimate request from a partner, someone inside your business or organization or even your boss. These scammers have done their homework, and can fool even the savviest business owners and employees. If you wire money or send ACH transactions, you should always be on guard.
What Does Email Fraud Look Like?
Email fraud attempts are very common and have evolved in the past few years. They can look obvious – almost everyone’s spam or junk email folder is full of emails from a Nigerian prince or a friend suddenly in need of cash – but more often than not, they look like real requests for funds, maybe even like they are from a vendor, partner, or colleague whom you’ve paid electronically before.
Email spear phishing starts with research and targets a company’s executive and finance staff. They send an urgent email to the finance person telling them to send an ACH or wire transfer. The email looks like it’s from the executive, but it’s not, and was actually sent from a similar or spoofed domain.
In the past couple of years, several examples of successful fraud have done just that. In 2015, Scoular Co, an Omaha-based grain trading firm, was swindled out of more than $17 million through an international email scheme. The company sent a total of $17.2 million through three wire transfers to a bank in China, acting on emails sent to an accounting executive, which appeared to be from Scoular’s Chief Executive Officer and the company’s auditing firm. They appeared legitimate, and he was fooled.
But, these types of attacks are not just on large corporations. They can target small businesses, churches, and nonprofits, too. Often contacting bookkeepers and executives, and using similar domains. They do their homework and appear legitimate.
What Can You Do To Protect Your Company?
Preventing email fraud is as simple as a phone call. If you receive an email request for a wire transfer, online payment, or ACH payment from someone, even if they are within your company or one of your clients, always confirm by phone or in person and never by email. Especially if the request is urgent.
People making legitimate requests, especially urgent ones, will pick up the phone and if you can’t confirm, don’t send money. It’s that simple. Losses from ACH and wire fraud are typically not recoverable and costs can be significant. Don’t fall prey to these attacks.