As the world becomes increasingly connected, it can be easy to forget some simple steps executives can take to protect their businesses from email fraud.
What many do not realize is that their workplace email account can be vulnerable to cybertheft. Criminals can hijack your account and adopt your identity or that of another executive, putting the entire business at risk.
However, by implementing and following stronger security measures and paying attention to the style and tone used in the message, executives can take greater control in preventing fraud.
“One of the things we proactively share with our lenders is [the potential for] business email compromises,” said Nathan Horn-Mitchem, first vice president, information security director of Provident Bank, a New Jersey-based bank with branches in the Greater Lehigh Valley. “It’s an increasingly low-tech form of fraud.”
HOW FRAUD OCCURS
A criminal will use a software program that can make it appear as though the person sending an email to an employee is from within the company, often a high-ranking executive or CEO.
The email may include a request to wire or transfer money, which can cost companies millions, as some big companies have fallen for it, Horn-Mitchem said. And once wire fraud occurs, the likelihood of recovery is low.
Criminals also are very adept at using human psychology to get people to open emails and respond to them. Some employees many not want to admit they opened a suspicious email and hope that by keeping quiet, nothing will happen.
Email accounts can be hacked too easily, and employers should weigh the convenience factor with the risk when deciding to use them for transferring money.
In wire requests made through email, hackers often use a tone of urgency or an email address that looks like the boss’ account or language with sloppy grammar. These are all clues to look for in fraud, said Jeffrey Groff, chief information security officer at Univest Corp., based in Souderton.
It also pays to use Wi-Fi networks carefully.
“We tell our employees that because they travel a lot,” Horn-Mitchem said. “When I do my new hire training, [I ask] is anyone shocked that we can tell what you are doing on the internet? You have no idea who is controlling that network.”
While Wi-Fi can be convenient, it is easy to spy on a user’s web traffic, he said.
WHY IT’S CRUCIAL TO BE CAREFUL
“Your email account is a very valuable asset to a hacker,” Groff said.
Once hackers have a person’s email account, they can gain access to all kinds of financial information, including purchases, bank data and investments.
“That is your reset mechanism for many things,” Groff said. “Don’t think of it as ‘just my email.’ This is sort of like the triangulation point for all the products and services you use on the internet.”
TRY TEXTING INSTEAD
For a confirmation source, text messages are safer, Groff said.
“If I wanted to steal someone’s identity, the first thing I would steal would be their email address,” he said.
For “bad guys,” there is no cost to send out fund transfer requests, and they often can send thousands at a time, Horn-Mitchem said.
“If you are a law firm, you are continuously getting wire transaction emails,” he said.
STEPS TO TAKE
Companies should be very careful about the format they use for employers to make requests for wire transfers, Groff said.
Email is not the way to make that happen, according to Groff. Employers should make these requests in person or by phone.
Many companies are following this method. As an example, many title companies in their boilerplate email messages say they do not accept transfers of funds through email, he said.
Employers should be very clear about how they are going to accept wire transfers and clearly spell that out for employees, Groff said.
TONE OF THE MESSAGE
Horn-Mitchem said he often stresses that employees should be aware that when they get emails, they should pay attention to the style and tone used in the message. Criminals will often use an aggressive style of language, similar to what they think a boss or supervisor would use, and often impose a tight deadline for wiring funds.
A good strategy is to call or talk to the employee in person to determine who sent the email, he said.
Also, executives should use an official banking app for purchases instead of a website.
Most financial institutions publish their official banking app on the Apple app store and the Google Play store. Those organizations had to go through a level of rigor to do so, and they usually include many security features, Horn-Mitchem said.
While banking apps are fairly secure, an executive’s credentials could still be stolen, said Diane Brown, chief administrative officer for Penn Community Bank, based in Buckingham Township.
Penn Community Bank has anomaly detection software in place that allows the bank to see unusual transactions, she said.
“We do our best to protect against fraud, but we depend on our business partners and we also try to educate our business owners,” Brown said.
IS IT STANDARD PRACTICE?
Brown offered more banking security tips for executives, particularly for wire fraud attempts. Executives should determine whether the request is in line with their business practices.
Executives should also determine whether the request is coming from a vendor that normally asks for wire transfers.
One way to confirm if the request is authentic is for executives to call the person back to verify that everything is as it should be, she said.
Limiting the amount of people in the company who can approve wire transfers also is helpful, she said.
SUPPORT THOSE WHO ARE WARY
Executives should pay attention to the emails of their business partners, as sometimes they can become hacked.
Brown also stressed the importance of coaching employees and ensuring they are aware.
“Be tolerant of your employees and supportive if they question something,” she said.
Groff also recommended that employers not get angry with employees who question financial transactions.