When infamous bank robber Willie Sutton was asked why he robbed banks, he reportedly said, “Because that’s where the money is.”
According to the FBI, hackers stole more than $2.7 billion from victims via cyber scams in 2018, and that’s nearly double the 2017 total.
The impact to a small business can be devastating. A report by the Better Business Bureau said the average small business’s loss due to a cybercrime incident is $80,000. Moreover, the U.S. National Cyber Security Alliance shows 60% of small businesses that experience a cyberattack close within six months as a result. As e-commerce and digital platforms continue to grow, a company’s life expectancy increasingly depends on its owner’s vigilance in protecting its cyber presence.
According to Jeff Norris, Chief Information Officer for Seacoast Bank, the most common scam he currently sees is the “CEO/CFO fraud” or business e-mail compromise (BEC). In these fraud scenarios, criminals send phishing e-mails to impersonate executives to deceive employees in accounting or HR into executing unauthorized wire transfers or sending out confidential tax information. It’s a trend that’s taking place in all 50 states and in 150 countries worldwide. The FBI reports it is now a $12 billion global scam, with a 136% increase in identified global losses between December 2016 and May 2018.
Kaela Lerner, Senior Vice President and Director of Treasury Management Sales for Seacoast Bank, shared a firsthand example. A manufacturer she knows received an e-mail from what it believed was a vendor notifying it of a change in wire instructions. The manufacturer had regularly wired funds to the vendor in the past, so based on that email, without voice verification, it changed the wire instructions and sent a payment of nearly $100,000. As it turns out the e-mail was not from their vendor – but it was counterfeited to look exactly like it – the only difference was a very minor change in the e-mail address. By the time the vendor reached out to the manufacturer to ask where its payment was, the wire had been received at the bank indicated in the fraudulent e-mail and moved to an account outside the country.
The scam isn’t confined to businesses, said Lerner. The CFO of a school she knows received an e-mail from the school owner with wire instructions for $50,000. The e-mail looked exactly as it should. The CFO wired the funds without voice verification. By the time the CFO realized the mistake, the transferred funds were not able to be recalled.
Real estate transactions represent another potentially vulnerable area. Lerner described an attorney that conducted numerous real estate closings who received an e-mail with the wire instructions to the seller for proceeds. The attorney was unaware that the office computer system had been hacked and the e-mail was not from anyone representing the seller. No voice verification was conducted to confirm the instructions, and the funds were wired out. The loss exceeded $150,000.
Norris works hard to educate the bank’s clients on how they can protect themselves by utilizing the tools available to them for watching their accounts. He encourages business owners and managers to ask their bank about threshold alerts, positive pay, dual authorization and the ability to continually monitor their accounts. Other industry best practices that all business owners should implement include:
Norris warns that if it happens to you, first and foremost contact your bank immediately. With money transfers, time is of the essence to attempt to stop fraudulent wires or ACH transmissions. Norris also recommends pursuing local law enforcement and filing complaints with the FTC and the FBI Internet Crime Complaint Center (IC3).
Additional resources for business owners and leaders to learn about banking fraud and cyber crime prevention are listed below.
Cybercrime is on the rise in Florida. Find out how to protect your small business with these cybersecurity tips >