Not everything is as it seems. On October 31st, we expect this, but what about every other day of the year?
Sentenced earlier this year to ten years in prison for wire fraud charges, Obinwanne Okeke transferred over $10 million out of a company in the United Kingdom.[1] Not long ago, a family member of mine was closing on her house. In the flurry of paperwork, she received a last-minute email from the closing company notifying her of an account number change for her down payment. Thinking nothing of it, she complied—and still has not been able to recover the tens of thousands lost.
Perhaps you can see the connection. If not, let me make it simple: Business Email Compromise has lost businesses in the US over $2 Billion[2], and even more globally.[3] “Business email compromise (BEC) is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.”[4] While “tens of thousands lost” may not sound like much for a large corporation, it has long-lasting repercussions for individuals or small businesses. On average, the stakes are even higher. Palo Alto estimates that “the average wire fraud attempted was $567,000 and the highest was $6 million.”[5]
As small and mid-sized businesses continue to experience cyberattacks, it’s not something we can afford to ignore. Through an email address made to look like someone the targeted staff interacts with (potentially a supervisor or vendor), criminals play off the relationships within organizations to get what they want. Who wants to question their CEO or CFO when they request a change of email address or an updated account number? We should.
Multi-factor authentication is foundational to good cyber hygiene, and the same principles apply here. In our business relationships, we need to prepare for the moment when the person we are interacting with is not who we think they are. At a previous employer, we took this seriously by requiring a phone call verification for any emails requesting an account number change (internally or externally) or anything of that nature. By calling the number on record, not an alternative one provided by the potential criminal, we could verify identity and instruction details. In addition to the rules of good cyber hygiene, protect your small business by remembering that not everything is as it seems.