Article Read Time
You’ve seen numerous articles warning you about the dangers of Business Email Compromise (BEC), but have you heard of payment re-direct scams? You know your small organization is in the crosshairs of cyber criminals because, unlike big municipalities and businesses, you don’t have the staff or the resources to focus on cyber security around the clock. But how do the scammers worm their way into your business?
Some small Ohio towns perfectly illustrate how BEC can happen to you. In November, an Athens city employee received an email requesting a change in how Pepper Construction Company was being paid for work on a new fire station. It seemed like a reasonable request to switch from issuing time-consuming paper checks to direct deposit to enable the company to pay its subcontractors more quickly.
The city sent the appropriate form to enable direct deposit to that email address. The scammers filled out the form, and the next deposit landed in their account, not the construction company’s account. How did they manage it? The criminals created a fake email account that transposed two letters of the legitimate Pepper Construction email address. The cost? Potentially $700,000. Scammers move money from account to account rapidly until it disappears into offshore accounts. In this case, $350,000 was left in the account, but the courts may rule that the money belongs to a Florida business that got scammed simultaneously.
In a similar payment re-direct scams, the Granville Recreation District lost the equivalent of half its annual operating budget to cyber criminals. On December 22, 2023, according to the Granville police report, someone “entered into an email thread and provided information” for “payment of services rendered. This was a fraudulent account, and the funds were wired to it.” The crime was not discovered and reported until January 30, 2024, and the money was long gone. The cost? $713,093.14.
West Clermont Schools lost $1.7 million to scammers. The school district’s official statement posted after months of investigation, “In December 2023, the West Clermont Local School District learned it was the victim of a sophisticated cyber-attack, classified as social engineering, that is anticipated to result in an approximate $1.7 million net loss. International criminals drive many attacks of this nature… a threat actor diverted several Automated Clearing House (ACH) electronic payments to multiple bank accounts not owned by a district vendor.”
In the last two years, at least 23 small government offices, including cities and schools, have been targeted in Ohio. The problem is so prevalent that the state auditor has issued the following advice and cautioned that employees who do not follow it may be held liable for losses incurred due to negligence or performing duties without reasonable care.
Preventing Payment Re-Direct Scams and BEC Crime
- Stop and consider: Does the change request make sense? Does this email address exactly match other communications from this organization?
- Never change vendor, financial institution, employee’s contact or banking information without independent verification. Avoid taking redirect requests by electronic means.
- Never use email or embedded phone numbers to verify change requests.
- Always require in-person verification of employee payroll redirects. Never take such requests electronically.
- Request in-person verification for change requests for payment information. Have the vendor come to the office in person to provide redirect payment information. Where the vendor is not personally known to the paying agent, you should have a second person from the department that deals with the vendor personally verify the identity and confirm the change request.
- If circumstances prevent verifying identity and contact information in person, use extreme caution and only an independently verified contact person and telephone number via separate sources. Do not use contact information from the change request; instead, find a phone number from a validated source, such as a prior invoice or a regularly updated employee or vendor contact information listing.
Of course, adequately training your staff is key to preventing payment re-direct scams and other cyber crime. Commonwealth Sentinel Cyber Security can do that. It is not enough anymore to send out an organization-wide email and hope your people read and follow it to the letter. Professional training by someone who can directly connect with your employees and answer their questions is essential. As our founder, Sheri Donahue, says, “Cyber security is a journey, not a destination.”
Commonwealth Sentinel can assist your organization in staying secure. To schedule a consultation, click here or contact us at (502) 320-9885.
At Commonwealth Sentinel, we are focused on cyber security so that you can focus on other things.