Are You Sure That Email Is Really From Who It Says It Is?

Date May 8, 2020
Authors William J. Heaven
Categories

According to a recent cybersecurity briefing webinar from the Cleveland office of the FBI, bad actors continue to use phishing attacks to set-up online and electronic theft. The criminals are using more targeted attacks and are willing to be very patient as they hone in on an eventual payday. In the case of so-called Business Email Compromises (BECs), evidence is that with little fear of discovery hackers are spending weeks or even months identifying financial personnel at a company and studying their email habits or tendencies. Now that we are working remotely, business is being conducted with almost no face-to-face interaction among employees, clients and vendors. We rely more on email conversations than phone calls. Hackers see this trend as an opportunity and are developing schemes to take advantage of it. Your businesses should be implementing email payment security measures. Our recommendations include:

  1. Scrutinize emails pertaining to subjects such as Accounts Payable, Banking or Finances.
    • Would the entity that the email is supposedly from typically request changes to procedures or account information via email?
    • Study the domain name of the entity for subtle misspellings or replacements of letters with numbers.
    • Use “hover over” technique on the hyperlink in the email, then examine the URL you see for the actual website/entity that will process the request.
    • Verify the request via a different method, such as a phone call or online chat instead of an email reply.
  2. Require an employee receiving an email requesting a new or altered electronic payment to reach out to the “requestor” via a familiar or known contact point, such as a phone number, to verify the request and account numbers are real. Never rely on the contact information or account numbers provided in the email!
  3. Require a second authentication before making an email payment from a pre-designated member of your company, such as your CFO or director of finance.

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a roadmap for continual improvement through cost-effective solutions. Call me at 330.758.8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

Listen to a recent Risk Advisory Services webinar on Banking Controls at: https://attendee.gotowebinar.com/recording/8846183878460240903

Find a Risk Advisory Services Cybersecurity Article on additional Email Security Recommendations at: http://hbkcpa.com/cybersecurity-social-engineering-email-security-recommendations/

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.