Mike: The bad guys that are out there are targeting your companies day in, day out, they run as businesses, and they are constantly surveilling your businesses, looking for weak spots and targeting you.
John: B E C, business email compromise. Simply put it's a scheme in which criminals use email to induce payments employees to release authorized payments to accounts controlled by criminals. The Association for Financial Professionals survey gathered responses from 600 financial professionals at organizations across varying sizes and industries. Eighty percent of the survey respondents experienced business email compromise, and fifty-four percent, which is a six percent increase over 2017, experienced a loss. It starts with targeting, so that's where the criminals, they're going to do their homework. They're gonna do their reconnaissance. They're gonna seek to understand the size, type and frequency of the payments that you make.The next thing they'll do is they're going to introduce a fake or compromised email coming from your known or trusted vendor or from an executivewithin your company. The third step, your payments employee will initiate, approve and release a payment to the account controlled by the criminal, and often, unfortunately, won't validate that change in instructions and then funds are lost. At some point, the fraud will be detected and, unfortunately, funds will be depleted from the destination account.
Curtis: If the dollars alone don't scare our clients, we try to educate them on how big of an issue this is, so that they work this into a holistic risk management of their business.
John: What are you employees sharing on social media? Are they disclosing roles and responsibilities, titles? Also look at your company website. What information are you disclosing that folks could use to deduce what your organizational structure is?
Greg: One of the areas of continued evolution and advancement is the ability to make payments while on the go, but you run the risk of those payment credentials being stolen so certainly we encourage that all payments are done over a secure network.
Thelma: Make sure that the use of fraud prevention products such as Positive Pay and ACH Debit Block are utilized. They should also validate payment instructions in person or with a known telephone number.
John: When it comes to the payment initiation stage, the destination instructions are key. Is it a different destination that you're paying? Not the beneficiary name, account number, so if that account number is different, you really want to be suspicious.
Curtis: Make sure that you've got callbacks to whoever the originator is. We also think a best practice is to look at capping the size of transactions that your staff can do.
John: Once a payment is made, make sure that accounts payables are reconciled daily, and if suspicious activity is identified, notify your financial institution and the appropriate law enforcement authorities immediately.
Curtis: Making sure your staff is on heightened alert and understands that this obviously is a big, frequent occurrence. We also strategically reach out to our clients, make sure to repeat and constantly talk about this topic so that we can always have it as part of our normal hygiene of risk mitigation.