The Business’s Guide to Email Fraud

The spam folder is like the black hole of my personal email—anything that goes in is hopelessly trapped for eternity. Yesterday morning, though, I decided to take a look and see what was in there. I discovered an email from my stepmom informing me of a diet plan I need to consider, an email from a soldier asking me to keep $18 million for him until he is back in the USA, and an email from a dentist confirming an appointment (okay, the last one was legitimate—and the first one better not be…talking to you, April!).

My spam curiosity was sparked due to the increase in business email hacking victims I’ve observed over the last couple of years. Unfortunately, businesses aren’t just getting these obviously fake emails about weight loss plans and holding onto $18 million. Businesses that use wire and ACH transfers are more frequently receiving emails that look legitimate and include changes in payment instructions. Here are a just a couple of hacking nightmares I’ve witnessed while working with businesses:

One example is a business customer (let’s call his business XYZ Company) who received an email that appeared to be sent internally from a co-worker asking that he wire more than $30,000 to a vendor—not an unusual request. Fortunately, he sensed something wasn’t right about the wire request. As he looked closer, he realized that the “internal” email address ended in instead of This savvy customer immediately contacted the bank where the wire was supposed to be deposited, and the crisis was averted.

Unfortunately, these stories don’t always end with a “close-call” and sigh of relief. Another business customer, who we will refer to as ABC Company, had a great relationship with their vendor; they emailed back and forth about their kids’ extracurricular activities, how their spouses were doing, etc. ABC Co. received an email from their vendor seamlessly picking up on the email conversation where they had left off. The vendor asked whether Johnny won his soccer game Saturday, and, by the way, when you send that wire scheduled for Thursday, please change our wire information because we have a new bank account. Close to half a million dollars was wired out because ABC Co. had no reason to be suspicious. The vendor’s email had been brilliantly hacked. The money was gone.

The Association of Financial Professionals releases fraud statistics each year. In 2014, wire fraud nearly doubled from 14% in 2013 to 27% in 2014. This statistic is alarming, but it is not surprising as I hear more and more stories like the two examples above. Wire fraud is increasing because those are typically the high-dollar transactions, and hacking is becoming more rampant.

Here are some red flags to look out for:

  • Requests from a supplier to change payment instructions for an upcoming payment
  • Unexpected requests from an executive to initiate a critical payment
  • Any requests that create a sense of urgency to prompt immediate action
  • The recipient of the funds insists on secrecy or confidentiality and suggests bypassing established procedures
  • The requestor insists on communication via email only
  • The requestor wants immediate confirmation when payment is executed

Proactive ways to protect your business from being a victim of fraud:

  • Have an established call-back and verification policy in place:
    • Clearly document a designated contact name and phone number for any vendor that calls or emails wire or ACH requests. If they request to change their bank account information, use the name and phone number you have on file to contact them to confirm changes.
    • Have a similar verification process for internal requests. If you get a wire or ACH request from a co-worker, call them directly and confirm their request.
    • Require a dual approval process for your wire and ACH transactions where one individual must enter a wire or ACH and another must approve the transaction.
  • Engage your IT department, and make sure your security is what it should be.
  • Talk to your banker about your account structure and fraud protection services that are available.

As technology continues to get smarter, so will the people who try to use it against you. One of your best lines of defense is to continue staying informed and educating your staff about new and ingenious types of fraud. Above all else, you should always regard email with a certain degree of skepticism, especially when it relates to your business and its finances.