As business owners and executives, we create vision, solve problems, and remove barriers to success. We also ask our people to do things for us. But what if you asked your CFO or bookkeeper to handle a payment to a vendor via email? Would they do it without asking questions?
Networking firm, Ubiquity Networks Inc., sent $46 million via international wire transfers before they realized the executive that “requested” the transfers didn’t really request them. They were hit by a man-in-the-email (MITE) attack, a sophisticated and increasingly common targeting of businesses that perform wire transfer payments. Closer to home we have a handful of clients that have seen this type of attack and a few that got very close to wiring close to $20,000 in funds they thought their executives had requested.
The FBI states that this type of fraud, also called CEO Fraud, has cost American businesses well over $200 million annually. But this type of MITE attack cannot be easily picked up by any of the automatic layers of security that we provide clients. Firewall and DNS security technologies cannot prevent this type of attack. Email security and endpoint protection on your PCs, MACs, mobile devices, and tablets cannot thwart this type of scheme. Even if the bookkeeper replies to the email to confirm the request – that will not necessarily stop it. Many times, the scammers will setup a look-alike domain with perhaps one letter changed for a number or the use of a different top level domain (i.e. solutionworx.co used instead of solutionworx.com).
The best way for this type of attack to be averted is by having a quick discussion with anyone who handles funds on your companies’ behalf. Let them know that you require a verbal confirmation before any money transfers are made over some predetermined amount.
Maybe the number you save isn’t $46 million, or even $20,000, but a quick 30 second discussion could save you from becoming the next victim.