With many employees working remotely and heightened uncertainty due to the COVID-19 pandemic, cybercriminals are increasing their attacks on businesses, nonprofits, and municipalities. It’s important to know what to look out for and how you can improve your defensive tactics and protect your business’ funds.
One way cybercriminals try to get your funds is through Business Email Compromise (BEC). This is a type of scam targeting companies who send wire transfers, checks, and automated clearing house (ACH) transfers.
A BEC fraudster researches your company online, and then impersonates a vendor (or another company you do business with) to try and trick your employees into changing the vendor’s payment information so your payments go into fraudulent accounts. The fraudster may even pose as an employee, requesting changes to that employee’s direct deposit payment information so the employee’s salary goes into a fraudulent account.
Watch out for these BEC red flags
- Urgent requests with last-minute changes to the wiring instructions or account information
- New vendor contacts and/or new and different email addresses
- Refusal to communicate via telephone
- Unexpected advanced payment requests (often supposedly due to the impact of COVID-19)
With the recent increase in remote work, it’s important to be diligent and verify all requests to change payment destinations, regardless of the source. If you’re suspicious, call a trusted contact at that vendor or the employee directly, using the contact information on file. Do not use the contact information provided in the potentially fraudulent email.
If your business becomes a victim of BEC fraud, contact your financial institution right away to request a recall of funds. As soon as possible, you should also file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov or BEC.IC3.gov.
Cybercriminals may also try to get your funds by tricking employees into providing the information necessary to access your account. Most banks will not ask your employees for complete personal or account-identifying information, so your employees should be suspicious of any request like that. For example, Camden National Bank never contacts its customers to request their account number, secure access code, username or password. We also don’t ask for personal information, like full social security numbers. Plus, any text alerts that we send come from a special 5 or 6-digit short code, and not a regular phone number. If you are our customer and ever have any doubts about an information request, call us at 866-265-9195 to verify.
5 strategies for safeguarding your business’ funds
- Staff education is a very effective defense. While it is common for treasury staff to discover payments fraud, the entire company has a role to play in prevention and detection. Trainings and resources to teach best practices are essential. Some companies even send out simulated BEC scams or information requests in order to test their employees and keep cybersecurity top of mind. Remember, anyone with an email may be subject to payment scams.
- Review your financial security procedures. Take the time to review yourdual controls, add verbal verification, confirm who in your company is authorized to make certain transactions, and be sure to check your transaction activity and credit reports on a regular basis for unauthorized activity.
- Take advantage of services that protect your accounts. Many banks have a positive pay system to help detect any unusual check fraud, whether there’s a mismatch in the payment amount or a payee’s name. Other services such as Automated Clearing House (ACH) Filter and Block Services can also help you block any unapproved transactions or unauthorized companies on your account.
- Use secure online wire transfers. Make sure you have dual controls from different computers, plus a token device or app for multi-factor authentication
- Set up account alerts. Most financial institutions offer account alerts within online or mobile banking so that you can be the first to know of any important account activities, such as withdrawals, transactions and more.
With all the changes that have occurred due to the COVID-19 pandemic, increased cybersecurity attacks pose more of a threat than ever. But if you know what to look for, make effective use of available services, maintain solid security procedures, and have good staff education, you can fend off those attacks.