Q: Where can I report people who are sending my company fake wire transfer scam messages?
A: One of the fastest-growing Internet banking scams that specifically targets businesses is a very clever form of wire transfer phishing fraud.
Heartland Financial, the parent company of more than 90 community banks, says the typical scenario involves a member of the accounting department getting an email message from what appears to be the CEO, CFO or other high-ranking executive within the company asking them to prepare a wire transfer.
The scammers generally study their victims before the scam, so they know the names and email addresses of the people in the company most likely to be involved in accounting processes.
The variations that I’ve seen over the years always spoof the sender’s address, so if the recipient isn’t paying attention, they simply assume it’s a legitimate request.
In some cases, the request will come while the CEO/CFO is out of town, so as to minimize the chances that an offline conversation would expose the scam (credit social media posts for this ability).
Despite clear red flags such as strange salutations or improper grammar, enough accounting departments have fallen for this scam to encourage the scammers to increase their efforts.
The popularity of social networks such as LinkedIn and Twitter makes the “research” portion of the scam much easier, and some have speculated that news releases or news stories can be the initial clue that a company can be targeted.
If someone in your organization falls for these clever social engineering scams, it could be very costly.
“The reality is that when this happens, if it goes more than a business day or two from the time the funds are sent, we never get the money back,” said Greg Normington, Heartland’s vice president of treasury management and product manager.
You can report these scam messages at a number of places, but the sheer volume of this type of activity makes it pretty unlikely that much will happen.
My accounting department recently received a scam wire transfer request message that claimed it was from me, so I had them play along so we could get the bank name and account and routing numbers that the scammers were attempting to use.
With this specific information, I contacted the listed bank by phone and emailed the information to their fraud department, but later found out that the best way to report the information is in person at a bank branch (not of your own bank, but of the bank being used by the scammers).
We determined that the account number was valid, but couldn’t find out whether it was set up by the scammers or a legitimate account that the owner didn’t realize had been compromised.
As a preventive measure against this growing scam, it’s highly recommended that all businesses set up dual controls or other extended approval methods for wire transfers.
Companies should also consider moving away from email as an interoffice communication standard — it’s the most common threat vector these days.
Private networking and messaging platforms are plentiful and worth considering for all organizations.
Ken Colburn is founder and CEO of Data Doctors Computer Services