Protecting your business from email-based fraud
Financial planners handle significant amounts of money, have links to both customers and financial institutions and, increasingly, deliver many of their services online. This makes them very attractive targets for cyber criminals.
The threat of email fraud for businesses is very real, and it’s growing. According to the FBI, in the United States the amount of money stolen by cyber criminals who target business email addresses has increased over 300% in just two years. Globally, $5.3 billion has been targeted in the last three years by criminals using a type of fraud called Business Email Compromise (BEC).
Australian businesses are far from safe - we’re the second most targeted country for these attacks, behind the US.
The good news is you can take some simple steps to keep your money and your business safe.
Types of email-based fraud
Business Email Compromise (BEC)
Also known as ‘CEO phishing’, BEC is when an email appears to come from a senior person in a business such as a Chief Executive Officer (CEO) or Chief Financial Officer (CFO), requesting an urgent transfer of funds.
By making the email appear to come from a very senior person, the criminals are hoping the recipient will action it quickly without verifying the request.
From: Company CEO <email@example.com>
Date: 28 February 2018
To: Undisclosed recipients
Subject: MESSAGE FROM CEO
Reply-To: Company CEO <firstname.lastname@example.org>
Are you at your desk? I need to process a fund transfer of $46,274.00 for me immediately. Kindly code it to admin expenses by COB today.
Sent from my iphone
In another scenario, a business receives an emailed invoice from a supplier whose email account has been compromised by a criminal. The invoice looks legitimate so the business doesn’t question the payment details, and sends the payment to the criminal’s account.
Another variation of invoice fraud is when a business receives a request from a supplier to cancel a recent payment, and ask to make the payment to a new account.
How does email fraud work?
First, cyber criminals look for information on organisations. They find employee names and job titles, company structures and job descriptions on company websites and social networking sites like LinkedIn.
They then use this information to craft convincing emails requesting payments.
These fraudulent emails are normally sent to a small number of targeted recipients. This means the emails are often missed by email spam filters, which look for large volumes of identical messages.
These emails can be sent from:
- a simple email address such as ‘email@example.com’;
- an email address very similar to the senior business person the criminal is impersonating, but with a slight variation which is easy to miss. For example firstname.lastname@example.org instead of email@example.com;
- what appears to be the correct email address, but when the victim replies, the email is sent to a different reply-to address;
- the impersonated sender’s real email address. This can happen if the criminal has stolen the email credentials from a previous phishing email or by malicious software.
In this last example, the criminal can set up a rule in your mailbox so all emails are forwarded to them without your knowledge. This allows the criminal to keep tabs on your business activity and spend time learning how you communicate. They can then work out the type of requests you might make or respond to. By studying your behaviour, criminals are able to mimic real requests, meaning their fake request won’t seem out of the ordinary.
Take these 7 simple steps to protect your financial planning business
1. Empower your team
Your employees are the first line of defence against cyber attacks. Teach them to recognise and know what to do with suspicious emails, text messages and phone calls. Criminals try to convey authority by impersonating someone senior in your business, or create panic by insisting a matter is urgent.
Empower your employees to trust their instincts and question emails, even if it does appear to have come from someone senior. If an email request doesn't sound right, is unexpected, presses for urgent action, or has an unusual tone, staff should be encouraged to question it. No one knows their colleagues, clients and suppliers better than your team.
2. Raise awareness
Help your people understand more about the tricks and scams of fraudsters. If your business gets a CEO phishing email or fake invoice, share it around so your employees know what to look out for in the future.
3. Create safe payment processes
It’s important that your business verifies payment requests or changes to payment details. Create a process that requires the receiver to check the requester’s email address carefully, and to call them to confirm the request using the contact details you have on file. This is especially important if payment details have changed or if a request seems out of the ordinary. Once confirmed, you can safely action payments or changes to account details.
4. Check your email settings
Check your email account settings for any auto-forward rules that you didn’t set up.
5. Keep your software up-to-date
Cyber criminals always try new ways to outsmart anti-virus software. It’s vital you have the most up-to-date version. Set your anti-virus software to auto-update, so it is always up to date. Keep your Apps on your computers and devices up to date too.
6. Use strong passwords and 2FA
Using strong passwords and two-factor authentication (2FA) will protect the security of your email account. Two-factor authentication means adding an extra layer of security by using an extra authentication method, such as a code sent to your mobile phone via SMS. This means that even if someone steals or guesses your password, they will not be able to get into your account because they will not have the 2FA code.
7. Review your business' online profile
Do an audit and limit the amount of publicly available information on your organisation’s websites and social media pages, such as LinkedIn. Focus on minimising the display of your employees’ contact details.
It’s vital that financial planners remain alert to suspicious customer behaviour. This could include:
- emails that appear different in terms of tone, language, terminology or spelling;
- an unexpected switch from phone calls to email;
- a request for urgent action; and
- an email request to send funds overseas.
Supporting adviser awareness
MLC and its associated advice licensees have a critical role to play in supporting the awareness and education of advisers, support staff and clients on these issues. These types of cases have been highlighted within their advice licensee network for several years and a webinar series was recently completed for all firms across our advice network.
To find out how MLC Licensee Network is helping their financial advisers, contact one of our Business Growth Managers today.
This article has been prepared by Consultum Financial Advisers Pty Ltd ABN 65 006 373 995 AFSL number 230323 and Godfrey Pembroke Group Pty Ltd ABN 38 078 629 973 AFSL 245451, each of which is a member of the IOOF group of companies. IOOF does not guarantee or otherwise accept any liability in respect of Consultum Financial Advisers Pty Ltd or Godfrey Pembroke Group Pty Ltd or any services provided by them.