Take Steps to Minimize Your Business’s Risk of Becoming a Cyber Crime VictimThe morning coffee is still brewing when an email appears in the inbox of an accounts payable employee at a local business. The company’s CFO is requesting an immediate wire transfer of $22,000 to a longtime vendor. The tone of the message is clear: This is an important matter that demands decisive action. And the clock is ticking.
What would you do?
Everything about the email seems to be in order. At a glance, the domain name looks legitimate. The content and appearance of the correspondence are convincing, right down to the company’s signature line. With little reason for suspicion, the employee follows through on the directive and initiates the transaction.
A mouse click sends the $22,000 on its way – to an overseas account controlled by cyber criminals.
This method of attack, known as Business Email Compromise (BEC), has the potential to cost a company millions of dollars. Even the most astute employee can fall victim to one of these savvy, authentic looking schemes. From June 2016 until July 2019, BEC resulted in a total exposed dollar loss of over $26 billion, according to the FBI’s Internet Crime Complaint Center (IC3).
The impact of cyber fraud can extend beyond lost time and revenue, according to Jennifer Bidlingmyer, Senior Vice President, Treasury Management Sales Director at Premier Bank.
“Those who become victims of cybercrime are usually loyal, dedicated employees,” she says. “After a lapse in judgment has been made and the individual and company have been victimized, there’s a great deal of emotional impact that’s involved, and that can totally disrupt the operation of a business.”
Bidlingmyer explains that bank treasury management departments can play a vital role in mitigating the risk of cybercrime, while helping customers take advantage of the convenience of online banking and additional account monitoring services. This is accomplished through monitoring unusual account activity, providing ongoing company-wide education, and performing annual reviews to make sure cybercrime prevention controls are in place.
As cyber villains dedicate themselves to devising new and more sophisticated ways to steal money and sensitive data, Bidlingmyer says it’s imperative for businesses to be equally dedicated to blocking these attempts.
Businesses should take the time to learn about the latest cyber scams and be prepared to act appropriately, Bidlingmyer says. Oftentimes there is a commonsense approach to thwarting an attack. Business Email Compromise is a good example.
To perpetrate this scam, fraudsters research the targeted company online, secure the name and email of an employee authorized to handle large wire transfers, create an email address with a domain name close to the company’s real one, craft a persuasive email, and then rely on a well-meaning employee to bypass authentication protocol.
“Cyber criminals are looking for a breakdown in risk control procedures to get their foot in the door,” Bidlingmyer says. “They know that a person receiving a directive from the CFO is likely to follow suit, or at least ask fewer questions.”
The good news is that there is a practical way to slam the door on this particular scheme, provided that employees are trained on established procedures.
“Whenever there is any kind of email request for a transfer of money, there must be a second form of authentication,” Bidlingmyer explains. “That could simply mean picking up the phone and calling the CFO to verify the email. This policy can entirely eliminate the problem.”
Employees who are authorized to initiate online transactions and fulfill online payments should be subject to oversight and approval by a secondary person, Bidlingmyer says. Having dual controls provides a company with two advantages: protection against internal and external fraud, and the added benefit of catching clerical errors that can be costly.
When banking online, customers benefit from Multi-Factor Authentication systems designed to ensure that only authorized users can access their accounts, Bidlingmyer says. In one common scenario, a customer will log into online banking using her password and then be asked to enter a one-time password that has been sent to her email address or phone.
Bidlingmyer explains that it’s critical for companies to be proactive when it comes to cybercrime. Best practices include installing anti-virus/malware software and keeping it updated; developing a comprehensive cyber security plan; changing employee passwords on a regular basis; reviewing accounts daily for even the smallest discrepancies; and making sure employees follow routine safeguards, such as never clicking on suspicious email attachments and notifying those in charge when they suspect foul play.
By putting controls in place, focusing on employee training, and maintaining a close and communicative relationship with the bank, businesses can confidently enjoy the benefits of online banking, Bidlingmyer says. For businesses considering converting to an online platform, she offers this parting message: Be vigilant about keeping an eye out for fraud, but also understand the good guys still outnumber the bad.
“A high percentage of us are going to do the right thing,” she says. “And most emails that come across are absolutely valid with the best interest of the business in mind. But it’s still important to do whatever is necessary to minimize the risk.”