I once worked with a client who was accused by another company of not having email security because the company was “phished” and sent a wire transfer to what appeared to be a legitimate payment link but ended up being fraudulent. It was no little money transfer either. The wire was more than $50k… ouch.
My client ended up being fine, but I wanted to point out some “red flags” to protect you and your business from this type of fraud. These “red flags” were ignored by the company, which is why the fraud was successful.
- Check the URL carefully for EVERYTHING.
Sadly, in this day and age, it is way too easy for fraudsters to purchase a web domain that is spelled “almost” exactly like any other company. They can purchase the company name with a “.net” or “.co” or any other number of extensions that are close, but not exactly, the web domain of the company you are legitimately doing business with. Switching a few letters around in the name or using .net could go undetected if you aren't careful.
Once this “dupe” company domain is purchased, email addresses of company officers, purchasing agents, and other personnel can easily be created. Spend 15 minutes on LinkedIn and a fraudster can create an excellent looking email address, with logo and signature. This can easily be faked. Particularly with smaller businesses.
- Do you have previous business dealings? Changes in processes should be suspect.
Let's say you've transacted business with the legitimate company previously. They sent an invoice, and you paid it online with a specific link. Or you sent them a check. Or you've always had “Net 30” terms.
But suddenly you get a request for a wire transfer. To a different business address? Time to ask some questions.
Pick up the phone. Start a new email to the address you have on file for the department you typically work with.
And don't ask by replying to the email! If you typically work with [email protected] email Jon directly. If you aren't careful you would reply to [email protected] and they would confirm the directions to send a wire. Notice the spelling in the email that sent you the request versus the one you actually send communications to normally?
- Have strong financial controls in place.
Please answer the following questions about your company's financial controls in place for remitting payments.
- What are your internal processes for paying invoices?
- How do you confirm invoices are ready to be paid and all deliverables have been received?
- What level of authorization and payment approval is required based on the invoice total?
- What is the maximum amount someone can remit with only one signature?
If you cannot answer these questions, please, please look at your internal financial controls. And there's one more. Who sends the authorized transfer or signs the checks? Is it your admin? Your CFO? Who is authorized to send money from your company and has signature authority on your accounts?
As part of the matter, one unfortunate outcome was that the CFO of the other company was let go. Because we asked these questions. Whether or not my client's email was hacked, or the company's email was “phished,” the answers to these questions revealed that there were at least four different places in the typical corporate payment process where the fraud would have and could have been detected. And ultimately no reasonable company with these controls would have wired the money.
Which is part of the reason my client was fine. Without getting too legalese here, the other company had a bit of a challenge proving that if my client was indeed hacked (turns out they weren't) that the hack was the actual and proximate cause of the wire transfer to the fraudulent address. And yeah, we could definitely show some liability on their part, in at least four places.
Evaluate Your Business
If you don't have strong processes and controls in place in your business for every financial transaction, you could become the victim of this type of fraud. Unfortunately, it is way too easy these days to dupe company emails, websites, and other marketing assets. I'm sure you've heard of the PayPal scam or some other scam where people click legitimate looking links and change passwords or give banking access.
This fraud was slightly more elaborate because companies typically have strong controls in place to evaluate invoices and remit payments to vendors and suppliers. Take a moment and review the questions above and take the time to make the necessary changes in your processes to protect your business.
Finally, if something like this has ever happened to you, understand that it is becoming more and more common. This blog has some startling statistics Must-know phishing statistics - updated for 2023 | Egress and it's a multimillion dollar problem. Unsurprisingly, Facebook was the most duped company. Awareness and following strong processes will be your company's best defense.
Dawn K Kennedy is a business lawyer and entrepreneur. She is a partner in Bowen & Kennedy P.C. and serves clients across California and in the federal courts.