Do you think your email blocking software will stop all phishing emails? Think again.
In April of 2024, the deposit for two new ambulances for the Rockville Volunteer Fire Department was wired to cybercriminals instead of the real vendor. According to ABC News 7 article “Rockville Volunteer Fire Department loses $220K to cybercriminals in email scam” a spoofed email with one letter of the email changed was used to impersonate the vendor and request a change of banking details. The organization was made aware of the fraudulent payment five days later when the real vendor requested payment.
Why The Fraudulent Email Was Easy to Miss
The article indicated that the email address used to send an email request for the bank account change had an additional letter — a small detail easy to overlook. The fraudster registered a spoofed domain and like the one used in this fraud to create emails that look legitimate.
Consider these examples used to make email address domains look legitimate:
- Spoof @apple.com: Use an upper case “i” for a lower case “L”
- Spoof @walrnart.com: Use an “rn” for “m”
- Spoof @microsoftsupport.com: Insert a hyphen microsoft-support.com
In addition, fraudsters take advantage of the fact that the team members in finance operations receiving these change requests may not have a relationship with the vendor and may not be aware of the correct extension (.com, .net, .org, .io, .biz., etc). Fraudsters register the same domain name using a different extension. Again, easy to miss.
Your IT team’s email filters only block a certain % of emails. According to KnowBe4, Microsoft is the most used and targeted email service in the world and its email guard Microsoft Defender misses 18.8% of phishing emails.
This means that you and your team members will receive fraudulent emails, some that look very legitimate, so you have to have a plan for how to determine if they are from your real vendor.
How The Fraudulent Payment Have Been Prevented
With the normal busy work of finance operations, including the vendor team, no one team member should be expected to detect all fraudulent emails.
Consider these authentication levels to ensure you are communicating with your vendor and not a fraudster when responding to an inquiry for how to change remittance details or accepting supporting documentation for a remittance change.
- Level One: Initial Contact
- Authenticate the Requestor: When responding to an inquiry of how to change vendor banking or accepting a request to change banking, take a tip from your banking institution > ask them two to three questions to verify they are the vendor. Examples include asking for the last 5 digits of the existing banking account and asking for an invoice number from a specific, but random, date. If you have internal employees that inquire or submit supporting documentation on behalf of the vendor, you may need to ask them verifying questions as well. Include questions such as their employee id, cubicle #, etc.
- Level Two: Before The Banking Change
- Authenticate the Data: Use your own vendor banking form to collect vendor banking (banking on letterhead can be forged) and include on the form vendor data that will verify they are the vendor. Require vendor data such as the bank branch information (routing #, BIC, etc) and account number of the existing banking. Also require the name, email address and phone number of the existing employee that they are doing business with at your company.
Fraud prevention tactics are often misunderstood and questioned. Particularly with authentication steps, you may receive pushback from both your internal team members and the vendors. Document the required steps in your policy and have management sign-off as support. Your team is responsible when fraudulent payments are made, so take the initiative and also be responsible for pushing needed fraud prevention steps.