You’ve got a lot on your mind if you run a small business. Payroll to make, people to supervise and manage, sales to make and books that need to be balanced. Does the thought that you and your business could become the target of international thieves ever cross your mind?
It should. Small businesses have become the latest target for international thieves the last few years. They approach your business in its weakest spot: as a potential sale. They use information from that approach to drain your bank account quicker than you can hang up the phone. It’s called spear phishing and it’s not about fish. It’s about targeting (that’s the spear) your business to get information (the object of the phishing) that can be used to drain your bank account.
Here’s how it works:
The scam starts with a telephone call, an e-mail or a fax. The pitch is something like this: “We are in need of a supplier for (insert your product here). We need (large amount, larger than your typical sale to one customer) units of this product. We expect to have an ongoing purchasing arrangement if you can supply our needs.” They may go on with background material about how their business has picked up and you may learn more about them than you really want to know.
There may be several contacts, or just a few, and they may even sign a contract. The part you need to watch for is when they say something like, “We will pay you via ACH transfer (direct deposit or electronic funds transfer) since that is the cheapest way for us to pay you. You’ll get your funds that much quicker. Please fill out this form from our bank with your banking information and fax it or scan it and e-mail it to our bank.” The form will request your bank’s information, including the routing number and your account number. Once the con artists have this, the honeymoon is over. The next step is for them to steal your money.
How?
The con artists will use the information to contact your bank by e-mail, telephone or fax, and request a wire transfer out of your account. They will pretend to be you. Since they possess information about your account, their associates will have targeted other phishing attempts to gather your identifying information, such as tax identification number, e-mail addresses and contact phones. The con artists may have even copied your letterhead and logo if they’re submitting the request by fax. The money will be transferred out of the U.S. banking system to a foreign country.
Now, you have officially been had. The bank will blame you for not protecting your data. You will blame the bank for wiring your money to a country where you probably have never done business. Law enforcement won’t be much help because U.S. law enforcement has no authority in a foreign country, and the local law enforcement in the country where the money was sent may be part of the scheme or taking payments from the crooks. It’s a fat and happy time for lawyers as your lawyer sues the bank, who responds with lawyers of their own. The case law is not settled on this, so it can go either way.
What should you have done?
Prevention is the only sure way to not lose money from a fraud scheme. Prevention is money and time you invest in your business up front so you don’t have to spend more money and time later chasing lost money.
What prevents this from occurring? Policies, Procedures, and Training
- Policies must be in writing and clearly spell out what information is allowed to be disclosed to people or businesses outside of your company and under what circumstances.
- Procedures also must be in writing and should try to identify as many potential scenarios asking for sensitive information as possible and identify the appropriate way of handling those requests.
- Train your staff, especially management, in the policies and procedures. New staff must be trained in information security as soon as possible. Emphasize that information is money and disclosing too much information can kill your company and put them out of a job.
Do’s and Don’ts
- Do use a designated company computer for online banking activities, keep its security software up to date and check it periodically for key loggers. Free key logger detection software is available through links found through computer columnists who write for major publications.
- Do sit down with your bank and go over exactly what banking services you need. Do you really need a standing wire transfer agreement in place? If so, insist on the bank requiring a password as a further verification of the wire’s authenticity. Spell out with the bank what services you will use and those you will not. Be wary of automated services that you may not need and ensure that there are security checks in place at the bank and at your company for any large transfers of funds.
- Don’t allow online banking activities on all company computers and don’t allow employees unfettered access to the web. Many websites, especially pornographic ones, contain viruses and malicious code buried in images waiting for you to download them.
- Don’t assume that a telephone call coming in from what appears to be your area code is a local call. Telephone number spoofing is easily accomplished to make it appear that the call coming from the Eastern European crook appears to be coming from a nearby town. The same goes for Internet Protocol (IP) addresses. IP addresses are frequently spoofed.
- Don’t be your own investigator. If you think you are the ultimate judge of people you meet over the phone or the Internet, and you have no experience in due diligence methods, don’t go forward with the deal.
- Don’t assume that you know more than you do. Many common ways of checking on local businesses, such as the Better Business Bureau, don’t work with online crooks. The crooks may be imitating a legitimate business. Remember, the reason they doing this is to imitate you with your bank.
Do get over yourself. Your company is just another piggy bank to an online crook. If you make it easy for him to be you, he will take your money. You aren’t being targeted because you’re special. You’re being targeted because you’re available.
