Business scams and fraud attempts are on the rise — especially ACH and wire fraud, in which scammers use nefarious means to try to trick you into sending them money electronically. So how do you keep your business safe from those who want to wreak havoc? Along with best practices from our friends at the National Automated Clearing House Association (NACHA), we’ve added some tips of our own and built this resource to help you protect your company from falling victim. You’ll also find a roundup of three up-and-coming scams to keep your eye out for. Let’s dive in!
Best practices against ACH and wire fraud
Verify by phone before you send funds. ALWAYS call the vendor, business partner, or colleague directly to verify the payment information. Use previously known numbers you know are correct — even across different time zones — and not the numbers provided in an email or text request. Never initiate any changes based only on email or text communication.
Be cautious of new payment information. Beware of email requests instructing a routine wire payment to be sent to a new account.
Verify before clicking on a link or opening an attachment in an email or text. It may appear to be from someone you know, but it may be a fraudster phishing for your password, business bank account, or other sensitive information. Extra caution: The link may contain malware.
Double-check the email address. Fraudsters are tricky and can create email addresses that look very similar to the legitimate account. They often find naming conventions for a company’s email accounts on its website and use those to fool you — inspect closely!
Do not respond to email as verification. Don’t reply to the requester by email. The fraudster either controls the spoof email account or has gotten access to the valid email account and can write back, making it look legitimate when it’s really not.
Beware of a sense of urgency. Usually fraudsters will indicate that the funds need to be wired right away. These requests often ask that the client be contacted only through email instead of other channels.
Know and trust who you are working with. Before doing business with a new company, search the company’s name online with the term “scam” or “complaint.” Read what others are saying about the company. Only purchase merchandise from reputable dealers or establishments.
Be wary of using free, web-based email accounts for your business, which are more susceptible to being hacked. Make sure at least two-factor authentication is available.
Be careful when posting information to social media and company websites, as fraudsters may use this information to deploy new tactics.
Keep the processing of your financial activities limited to as few machines as possible and limit the other activities such as web surfing on those machines, as well.
Consider financial security procedures that include a two-factor authentication process or dual control for electronic funds transfers.
Create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same (for example, .co instead of .com). If possible, register all Internet domains that are slightly different from the actual company domain.
Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.
Consider frequent and regular patching of your business systems.
Use a quality next-gen antivirus solution — one that watches for behavior anomalies and not just signatures.
Scams to watch out for
Business email compromise (BEC) and phishing scams. BEC scams target companies that may make wire transfers to suppliers and businesses. BEC scams begin with a criminal sending a phishing email to a company which seems to be from someone they know. The employee clicks a link, or provides their password, business bank account, or other sensitive information, and the fraudster gains access to the employee’s email account. The fraudster will monitor that employee’s email for a period of time and determine who initiates wires and who requests them. Read more here.
Senior executive spoofing scams. In this type of scam, a company employee will receive a transfer request via email from what appears to be a high-level executive. The domain will look very close to the company’s domain (see our fourth point above) and appears to be an email from the CEO or similar company manager. However, the request is actually coming from a hacked email account, or an account that has been “spoofed” to appear legitimate. The fraudster creates a sense of urgency and rushes the employee into making a quick decision to send the transfer before researching and verbally confirming the request.
Vendor spoofing scams. An employee receives an email or phone call from a trusted vendor requesting a change in payment instructions. Without due diligence and validation processes to confirm the request, the employee transfers the funds to the fraudster’s bank account. Usually these wire requests closely mimic a legitimate request that you’d typically receive from that supplier.
At UBT, we’re committed to helping our commercial customers stay on top of the latest threats to your success. Whether it’s information about safeguarding from fraud or offering products and services to keep your business transactions secure, we’re here for you — so don’t hesitate to reach out with any questions. After all, with UBT, your business has people.
Learning Center articles, guides, blogs, podcasts, and videos are for informational purposes only and are not an advertisement for a product or service. The accuracy and completeness is not guaranteed and does not constitute legal or tax advice. Please consult with your own tax, legal, and financial advisors.