Insights
Keeping Thieves Away: Best Practices for Protecting Your Business from Fraud
How to safeguard your business from potential financial losses and business disruption due to fraud during the COVID-19 pandemic.
With hacking attempts becoming more frequent and global cybercrime already on the rise, the coronavirus pandemic is offering a new set of opportunities for hackers to exploit people’s fears and system vulnerabilities for their financial gain. Recent research revealed that 22 percent of Americans have already been the target of digital fraud related to COVID-19, and Google has already seen a 350 percent surge in phishing websites since the start of the pandemic.
On the business side, as the outbreak continues and more employees start working remotely, experts predict that businesses will see an increase in cyber-attacks and breaches, stemming from work-from-home scenarios. In fact, the FBI is already seeing a spike in fraud schemes related to the coronavirus pandemic, and the U.S. Department of Homeland Security is warning businesses about potential cyber security threats, advising individuals and businesses alike to be on the lookout for fraudsters.
To help safeguard and strengthen your business against financial fraud, it’s important to know what methods scammers use to elicit financial information, and the best practices and tools you can use to protect yourself and your business.
Business email compromise
Business email compromise happens when fraudsters gain unauthorized access to a company’s email account(s). They obtain information and track activity to impersonate employees, vendors, customers, and business partners to request payment or obtain account information. They make payment requests that look authentic, but the instructions in the email route the funds to an account owned by fraudsters.
“Business email compromise is the number one reason businesses are experiencing fraud, and it’s happening to businesses of all sizes,” says Nadilee Russell, director of Global Transaction Services (GTS) at East West Bank. “Because the fraudsters usually impersonate someone who you trust and request payment, the only way to identify the authenticity of the payment request is to call that person back, using the phone number you have on file for them and not the one that’s stated in the email.”
Fraudsters carefully research and monitor their potential target victims’ emails to identify anything that is a request for payment, and heavily rely on social engineering tactics to trick unsuspecting employees and executives. “Once they get ahold of your emails, they would monitor them, trying to identify any patterns and useful information,” says Russell.
A pattern could be the date when invoices come in. In that case, the fraudsters would try to send an email with the request for payment that looks like it would come from a regular vendor or a supplier right before that date and may actually get their payment.
“Business email compromise is the number one reason businesses are experiencing fraud, and it’s happening to businesses of all sizes.”
Even the most seasoned businesspeople fall for this type of fraud, as did Barbara Corcoran, the real estate guru and co-star of “Shark Tank.” Corcoran lost $400,000 to an email phishing scam, when her bookkeeper supposedly got an invoice from her assistant approving the payment for a real estate renovation. Because the fraudsters used an email address very similar to Corcoran’s assistant’s email address (it was misspelled by one letter), the bookkeeper didn’t think anything of it, and, upon communicating with the fake email address, wired the money to the scammers.
According to the FBI’s 2019 Internet Crime Report, business email compromise has been a major concern for years, costing businesses millions of dollars. In 2019 alone, the agency recorded 23,775 complaints related to business email compromise, which resulted in more than $1.7 billion in losses. And 2020 will most likely see a steep increase in these numbers and this type of fraud.
Ways to protect yourself from business email compromise
To strengthen your defenses against fraud, here are some best practices:
- Verify payment request by calling the sender, using the phone number previously kept on file, not the phone number provided in the email
Validate all payment requests and confirm routing changes/instructions.
“Make sure you have updated contact information by actually reaching out to the customer by phone. Using email as the means of communication may not be going far enough in validating that you're talking to the right person,” says Russell. “Don't trust every email you get. Validate. If you do experience fraud, timing is of the essence. Contact your bank immediately.”
- Implement dual control
Implement dual control security settings on online banking, and initiate and approve electronic payments on separate computers. Having a minimum of two people involved in a transaction ensures accuracy and adds a layer of protection, which makes it harder for fraudsters and internal employees to compromise your accounts.
- Install IBM Security Trusteer Rapport
Trusteer Rapport is an online banking fraud protection software that works alongside your current security software. Once installed, it protects the customer’s device against financial malware and phishing attacks, verifies that you’re connected to your bank’s actual website and creates a secure line of communication.
- Reconcile account activities daily and regularly review user access
“One of the best tools for identifying fraud is looking at your banking account activity and transactions every day to ensure that they are valid,” says Russell.
With the ease of online banking platforms, you can easily review account activity, manage incoming and outgoing payments, customize alerts, review reports, create and manage payments and much more.
Additionally, to manage risk, you can allocate limits and permissions to your employees on an “as needed” basis and promptly deactivate employee’s access when it’s no longer needed.
- Establish transaction dollar limits and set email alerts
Setting dollar limits on transactions will help limit exposure, in case of an unauthorized payment attempt. “Any dollar amount that you think is appropriate for the size of your business would be the right amount to put as a threshold,” says Wendy Waldron, GTS national sales manager.
Setting email notifications for ACH, wire transfers and balance thresholds will also help pinpoint unauthorized transactions and unwarranted changes to your account balance, so you can promptly act upon them.
- Enhance your password security
Make your passwords complex, and never use the same password for different accounts and systems. Try combining random words together and incorporate upper- and lower-case letters, numbers and symbols. Never use birthdays, family names or telephone numbers, for they can be easily figured out by the fraudsters. Additionally, consider using false answers for security authentication questions to help strengthen your account’s security.
- Use Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) when possible
Adding either two-factor or multi-factor authentication adds an extra layer of credentials to prove that the person who is signing in is truly who they say they are. You can use SMS text codes, codes received via a smartphone app, email codes, hardware devices, voice biometrics and others. Having an added layer of security makes it harder fraudsters to carry out the attack.
Fraud protection products
Additionally, businesses can use the following products to safeguard their assets and to help minimize the chance of fraud:
- Positive Pay
Positive Pay is a tool that protects customers from check fraud. The service works in the following way: The customer provides data on authorized checks to the bank. The bank compares that data against checks that are being presented to the bank for payment. If there are any discrepancies, the bank informs the customer, who can then view the suspected items via online banking, with the option of either paying or returning them, or correcting any check errors, without having to contact the bank.
- ACH Positive Pay
ACH Positive Pay is an efficient and cost-effective electronic debit fraud prevention tool that monitors and manages ACH debit activity through online banking. With ACH Positive Pay, the customer sets up a list of approved vendors that will be paid automatically and sets rules, which can be changed at any time, on their account to block or authorize electronic debits. This helps prevent unauthorized transactions, while allowing certain transactions to go through. In addition, customers receive email alerts about the status of ACH transmissions and any ACH activity that’s affecting their account.
“Unfortunately, there are a lot of bad guys out there today, looking to try and take your money,” says Waldron.
Russell adds, “And it’s during these times that fraudsters materialize, and the fraud happens.”
For this reason, being mindful, implementing security measures and utilizing available fraud protection tools will help protect you and your business from potential financial losses, business disruption, recovery time and costs associated with fraud.