Beware of a form of wire fraud which relies on deceptive email messages. We have had multiple customers encounter this scam in the past few months. In each case, someone within the management structure received an email message which seemed to come from another person within the company. The message requested an immediate wire transfer to the bank account of a “vendor” or other third party.
Needless to say, the supposed sender of the email message knew nothing about it, and the chances of recovering any monies wired to the specified bank account were slim.
You might think hackers who broke into the company email system to pull off this scheme, but you would be wrong. In cases we have encountered, the scammers achieved the deception by “spoofing” the email address of a person within the target organization or by sending email from a domain which appeared similar to, but was not the same as, the email domain of the target.
Our customers were surprised that the scammers would know to whom they should send such messages. The controller of one company told me that if his organization was going to wire money, he was the person who would do it. And the person who supposedly sent him the message would be the one to request it. While this may appear to be the result of “inside knowledge”, remember two things:
- A significant amount of information about your company is available on the Internet–including the name of your controller or CFO and the other members of your management team.
- Spam is cheap. For every email that hits home and looks like it came from someone with “inside knowledge,” there may be a thousand which were discarded because they contained details that were slightly off, making them obvious fakes.
This type of fraud has been around for a while and can take several sophisticated forms. Symantec has a good overview of how it works and an excellent article by J.P. Morgan goes into significant detail about these schemes and how you can protect yourself.
At a minimum, you should adopt security measures within your management team, such as using independent verification of any email-based wire transfer request. I’m a fan of using text messaging to verify with the original sender, since scammers sending spam are not likely to have stolen his or her cell phone.
Just remember that wire transfers basically amount to someone walking up to you on the street and saying “Give me your money, please.” So make sure you know them before you hand it over.
Brian S. Pauls is the president of PerAspera Consulting, LLC, providing comprehensive technology solutions, from the Web, to mobile devices, to the desktop. He doesn’t do a lot of wire transfers and is generally offended by spam.