Q: Where can I report people who聽are sending my company fake wire transfer scam messages?
A: One of the fastest-growing Internet banking scams that specifically targets businesses is a very clever form of wire transfer phishing fraud.
Heartland Financial, the parent company of more than聽90 community banks, says the typical scenario involves a member of the accounting department getting an email message from what appears to be the CEO, CFO or other high-ranking executive within the company asking them to prepare聽a wire transfer.
The scammers generally study their victims before the scam, so they know the names and email addresses of the people in the company most likely to be involved in accounting processes.
The variations that I鈥檝e seen over the years always spoof the sender鈥檚 address, so if the recipient isn鈥檛 paying attention, they simply assume it鈥檚 a legitimate request.
In some cases, the request will come while the CEO/CFO is out of town, so as to minimize the chances that an offline conversation would expose the scam (credit social media posts for this ability).
Despite clear red flags such as strange salutations or improper grammar, enough accounting departments have fallen for this scam to encourage the scammers to increase their efforts.
The popularity of social networks such as LinkedIn and Twitter makes the 鈥渞esearch鈥 portion of the scam much easier, and some have speculated that news releases or news stories can be the initial clue that a company can be targeted.
If someone in your organization falls for these clever social engineering scams, it could be very costly.
鈥淭he reality is that when this happens, if it goes more than a business day or two from the time the funds are sent, we never get the money back,鈥 said Greg Normington, Heartland’s vice president of treasury management and product manager.
You can report these scam messages at a number of places, but the sheer volume of this type of activity makes it pretty unlikely that much will happen.
My accounting department recently received a scam wire transfer request message that claimed it was from me, so I had them play along so we could get the bank name and account and routing numbers that the scammers were attempting to use.
With this specific information, I contacted the listed bank by phone and emailed the information to their fraud department, but later found out that the best way to report the information is in person at a bank branch (not of your own bank, but of the bank being used by the scammers).
We determined that the account number was valid, but couldn’t find out whether it was set up by the scammers or a legitimate account that the owner didn鈥檛 realize had been compromised.
As a preventive measure against this growing scam, it鈥檚 highly recommended that all businesses set up dual controls or other extended approval methods for聽wire transfers.
Companies should also聽consider moving away from email as an interoffice communication standard 鈥斅爄t鈥檚 the most common threat vector these days.
Private networking and messaging platforms are plentiful and worth considering for all organizations.
Ken Colburn is founder and CEO of
