Even the savviest business owners can fall victim to fraud. The Association of Certified Fraud Examiners estimates that, “U.S. businesses will lose an average of 5% of their gross revenues to fraud” with small businesses hit the hardest. But knowledge is power, and Heritage Bank has the resources to inform and protect local businesses of any size.
“Fraud typically starts with spear phishing, social engineering, hacked emails, or a combination of the three,” says Director of Digital Services Sarah Salva. “The victim employee will respond to an email that appears legitimate carrying out payment instructions. Often the email address is spoofed and appears to be from a legitimate source like a CEO, CFO, internal employee, or vendors, but in fact is from the fraudster. They will request a new wire/ACH payment or update an existing payment.”
And while it’s vital for businesses to have a strong, vibrant online profile, putting too much information out there can lead to vulnerabilities. “We have seen an increase in fraudsters leveraging information found through online searches,” explains Salva. “They will use this information to impersonate an individual and update payment instructions to third parties or payroll.”
Many of these illegal activities use intermediary malware to get in the digital back door. Salva says that sometimes victim employees click on malicious links or download attachments while other times the use of office computers for shopping or accessing social media is the culprit. “Social media and eCommerce are two of the top five industries targeted by phishing attacks,” she cautions.
Hackers are constantly changing and evolving but there are a few consistent red flags. Salva warns to avoid emails:
- Received from an individual or business that does not normally correspond that way.
- Marked secret or confidential.
- With a sense of urgency to make an immediate payment.
Employees and managers should be on the lookout for requests coming from slightly different variations in the email address, a scam called spoofing, or misspellings of key items like the company name. Even errors in grammar, typos, and the use of unusual words and phrases can be a red flag.
Changes in tone or breaks from the norm are also problematic. If a supposed client or customer suddenly:
- Makes persistent requests for payment instructions and/or changes to payments;
- Communicates only in email and refuses to communicate via telephone or in person; or
- Requests to circumvent standard procedures.
“These are often scammers in disguise,” says Salva.
If you think your business has been targeted, notify your financial institution immediately she says. Perform security scans of your computers and networks, notify your insurance carrier if applicable, and “as soon as possible, file a complaint with the FBI’s Internet Crime Complaint Center.”
Heritage Bank business customers have multiple resources available in cases of fraud. “Heritage Direct, our commercial online banking system, offers dual control throughout the platform,” says Salva. “Including user creation, user permissions, internal transfers, ACH origination, wire origination, and fraud mitigation products. There are also various alert notifications that can come from within Heritage Direct that help identify payments and transfers that have been approved. The system allows for added customization on who can receive the alert, how they receive it, and the subject line of the alert.”
They also offer positive pay services to combat check fraud. “Positive pay allows a company to work together with its financial institution to detect check fraud by identifying payments the company never issued or checks that do not exactly match those they did issue. A positive pay file is created containing bank-defined information like check number, date, amount, and payee. This file is configured to meet the bank’s format requirements and is transmitted to the bank using our online banking platform. As checks are received for payment, the bank verifies the information on each check against the positive pay file and pays only those with a perfect match. Checks that don’t match are rejected and an exception report is sent back to the company for pay/no pay decisions.”
But with fraud, the best defense is a good offense. Salva recommends avoiding free web-based email programs, setting company policies for non-work computer use, educating employees of red flags, and establishing alternate communication channels, telephone over email for example, to verify significant transactions or relay sensitive information.
“We have local experts available to help,” adds Salva. “Our treasury experts deliver value by being industry resources who are adept at packaging optimal sets of treasury management solutions that focus on solving real world business needs. Now is a great time to have an expert help you with an operational review and provide recommendations that best fit your business. This review will help you identify opportunities to improve collection of receivables, monitor and manage liquidity, optimize payments, improve data management and reconciliations, and fraud mitigation.”