Creating trust is vital for any organization. It’s also one of the factors criminals rely on.
The City of Burlington, Ont. found that out the hard way last month when an employee fell for an increasingly common scam: An email supposedly from what it calls a “trusted vendor” requesting to change the bank account where the municipality normally transfers money to.
Agreeing to the change, the $503,000 payment went to an account controlled by an unknown person.
The incident took place May 16. The city only learned about it five business days later. It made the incident public in a news release Thursday.
The fraud was reported to the bank and Halton Regional Police, but with a week between the incident and law enforcement being told it’s unlikely the money will be recovered.
The city says it has since put in additional internal controls to prevent a similar incident from happening again.
The municipality is refusing to make any further comment on how it happened. One possibility is the vendor’s email was hacked, so the email (or emails) the employee received was from a legitimate source. Another is that the criminal spoofed an email address similar to a person employed by the vendor. In one case the FBI noted a fake email ended in “.co” instead of “.com.”
“Humans remain the weakest link in any organization,” Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, noted after spotting a news story on the con. “Properly implemented security controls can reduce the risk of human error but not eliminate it.”
In a statement issued by the City Burlington Mayor Marianne Meed Ward said the incident was committed “with falsified documents at a level of sophistication not typically seen, and we are taking the necessary steps to prevent it from happening in the future. This stresses just how important it is that we are all vigilant and recognize the signs of online fraud, phishing and other scams, and report them to the proper authorities — so that no one becomes a victim of this type of criminal activity.”
Experts group these types of cons as business email compromise scams or wire frauds. The Canadian Bankers Association website recommends these four steps to reduce the odds of being victimized:
- Educate – Educate employees on how to spot these types of scams by making them aware that employee email addresses can be spoofed. Let them know that a major red flag for BEC is a wire transfer request that includes pressure to act or a sense of urgency.
- Verify – The Canadian Anti-Fraud Centre recommends businesses consider a two-step verification process for wire transfer payments so that your business requires two forms of communication to confirm a wire-transfer request is legitimate.
- Be cautious – Take precautions when posting information online or on social media sites about where and when senior staff, including the CEO or CFO, are on vacation or away from the office.
- Protect – Ensure all software, including anti-virus software, is up to date on all computers and servers in your office(s).
The FBI offers these tips to organizations and employees:
- Verify changes in vendor payment location and confirm requests for transfer of funds.
- Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personnel information to social media and company websites.
- Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
- Consider financial security procedures that include a two-step verification process for wire transfer payments.
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
- If possible, register all Internet domains that are slightly different than the actual company domain.
- Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.