March 6, 2017

Avoiding Cyberfraud: The “supplier swindle”

Posted in Cybersecurity by Gene Killian |

Awhile back, I read the entertaining novel “Sutton” by J. R. Moehringer.  It’s based on the life of the famous bank robber Willie Sutton. One thing’s for sure:  Willie would’ve loved the Internet.  To paraphrase a famous saying that he may or may not have actually said, the Net is “where the money is”...and, as an added bonus, the fraudster doesn’t have to pull a gun on anyone in order to walk off with the cash.

There are unfortunately a lot of Cyber-Willies out there, and they can wreak havoc on your business. We do a lot of insurance coverage work, we currently have several insurance claims in the office involving social engineering scams.  So I thought I’d give our readers a brief overview of one currently popular type of scam, the “supplier swindle,” and some common sense on how to avoid it. 

(By the way, do you think this type of stuff can’t happen to you?   According to a recent Verizon study, 30 percent of “phishing” emails get opened.  That incredible click-through rate explains why bad guys continue to use these types of attacks:  They work.)

In one of our claims, for example, our client received an email that appeared to be from one of its legitimate suppliers, a company  located in China.  The e-mail asked that funds be forwarded to a certain account to pay down accounts receivable. Unfortunately, a fraudster had slightly changed the email address of the supplier (“spoofing,” in technospeak), and the account number had been set up solely to receive stolen funds.  Next thing you know, the client was out half a million dollars.  The insurance claim is pending, but as you may know from reading our other blog, if the carrier can figure out a way to avoid covering, it will.  Want to stay sane? Stay away from having to file insurance claims!

The “supplier swindle” is a very common scam.  A recent Public Service Announcement from the FBI warns:

A business, which often has a longstanding relationship with a supplier, is requested to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile, or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request. This particular scenario has also been referred to as “The Bogus Invoice Scheme,” “The Supplier Swindle,” and “Invoice Modification Scheme.” 

Here are a few ways to short-circuit the scam:

  1. Confirm. Don’t trust any e-mail requesting a funds transfer to a specific account number, even if it looks like it comes from that vendor you just spoke with on the phone. Always call the actual company you’re dealing with to confirm that the request is legit, and to confirm account numbers - better safe than sorry. When you recognize a fraudulent message, alert everyone at your company (and NOT by forwarding the e-mail to them!), delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing any websites or fraudulent links.
  2. Carefully check names. Cyber-Willies will often use a sender's email address that‘s similar to, but not the same as, a legitimate company's official email address. They can often figure out your company’s contacts through social media like LinkedIn.  (By the way, train your employees not to publish sensitive personal or corporate information on social media.)  Sometimes, your address may not even appear in the “to” line; the e-mail may simply be sent to “undisclosed recipients.”   You should also be skeptical of generic greetings like "Dear Customer" or "Dear Member." Legit companies usually use your actual name in their email greetings.   If it looks suspicious…it probably is.
  3. Cyber-Willies stink at spelling. In the movies, bad guys can’t shoot straight.  In cyberworld, bad guys often use poor grammar and spell words incorrectly.  If the email contains spelling or grammar errors, the chances increase that it’s a scam. 
  4. Cyber-Willies don’t want you to be patient. Bad guys are like bad (annoying) salespeople.  They want you to act quickly and without thinking. The more time you have, the harder it is for them to close the “sale.”  So they try to convince you that if you don’t act RIGHT NOW, the fate of civilization is at stake.  They say things like "Urgent action required!" or "Your account will be closed!"  If someone’s being pushy…red flag. 
  5. The incredible changing account number! In one of the supplier swindles we have in the office, Cyber-Willie emailed an account number at a legitimate bank for payment of invoice No. 1. At the time, there were two other open invoices. After receiving the first transfer, Cyber-Willie emailed our client and said that the account number had been changed. After our client paid Invoice No. 2, Cyber-Willie emailed our client that account number had been changed again, and that the new account number should be used for payment on Invoice No. 3.  Legit companies don’t change their bank account numbers every day! Red flag.
  6. If you get hit, notify your carrier. Never assume that you don’t have insurance coverage for a loss. While it’s best to have stand-alone cyber-coverage, you may have insurance for certain kinds of cyber-losses through your standard crime policy (check, for example, the “computer fraud” coverage).  Give notice early and often. 

Willie Sutton supposedly also said (about robbing banks): “Success in any endeavor requires single-minded attention to detail and total concentration.” 

That’s what you need to avoid cyber-fraud, too.