Scammers are constantly on the lookout for new ways to get your money.
Within the past 6 months multiple businesses have been defrauded into sending hundreds of thousands of dollars through ACH transfers to compromised business partners. Some of them were able to recover part of this money, but some weren’t so fortunate. Here’s what you need to know to avoid this happening to your business.
Password spraying is a new technique coming onto the cyber security scene in which instead of guessing millions of passwords for a single account, they try dozens of very common passwords across millions of accounts with publicly available emails. This has proven effective because it significantly increases their chances of compromising an organization when only one employee needs to have a weak password.
Once this employee’s account has been compromised the malicious actors will intercept emails waiting for an opportunity for a payout. In most of these cases they will intercept an email from a business partner attempting to make a payment. They will then hide this email so that the employee doesn’t see it and reply asking for the money to be wired through ACH. However the account numbers provided will instead wire the money directly to the scammers.
It is now more important than ever that all employees have strong passwords, but this is just one step. You also MUST have two-factor-authentication enabled. In all these cases two-factor-authentication would have prevented the employee’s email from being compromised. A little extra annoyance is a small price to pay for a hard-wall between malicious third parties and your important accounts.
However this is still not enough for the businesses being defrauded. The emails asking for the money to be transferred via wire will appear to be from a trustworthy source, and in all cases the businesses being defrauded thought they had no reason to doubt this request from a business partner they may have trusted for years. To stay safe from this you should always be skeptical when your business partner makes a change to routine dealings. If you have any doubts you should reach out via phone, or in person to verify the authenticity of the request.
An ounce of caution can be worth your life savings. With the landscape of scams and exploits constantly evolving to be more convincing and more elaborate you must be vigilant. If your cyber security is exploitable then you WILL be exploited. There is no target too small, or too ordinary for these malicious third parties who are constantly looking for any money they can make from vulnerable people and businesses.
If you’re unsure of your organization’s cyber security and you don’t have an internal IT department then it may be time to think of partnering with a local Managed Service Provider (MSP) who can help you harden your security.