Are You Sure That Email Is Really From Who It Says It Is?

According to a recent cybersecurity briefing webinar from the Cleveland office of the FBI, bad actors continue to use phishing attacks to set-up online and electronic theft. The criminals are using more targeted attacks and are willing to be very patient as they hone in on an eventual payday. In the case of so-called Business Email Compromises (BECs), evidence is that with little fear of discovery hackers are spending weeks or even months identifying financial personnel at a company and studying their email habits or tendencies. Now that we are working remotely, business is being conducted with almost no face-to-face interaction among employees, clients and vendors. We rely more on email conversations than phone calls. Hackers see this trend as an opportunity and are developing schemes to take advantage of it. Your businesses should be implementing email payment security measures. Our recommendations include:

  1. Scrutinize emails pertaining to subjects such as Accounts Payable, Banking or Finances.
    • Would the entity that the email is supposedly from typically request changes to procedures or account information via email?
    • Study the domain name of the entity for subtle misspellings or replacements of letters with numbers.
    • Use “hover over” technique on the hyperlink in the email, then examine the URL you see for the actual website/entity that will process the request.
    • Verify the request via a different method, such as a phone call or online chat instead of an email reply.
  2. Require an employee receiving an email requesting a new or altered electronic payment to reach out to the “requestor” via a familiar or known contact point, such as a phone number, to verify the request and account numbers are real. Never rely on the contact information or account numbers provided in the email!
  3. Require a second authentication before making an email payment from a pre-designated member of your company, such as your CFO or director of finance.

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a roadmap for continual improvement through cost-effective solutions. Call me at 330.758.8613, or email me at for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

Listen to a recent Risk Advisory Services webinar on Banking Controls at:

Find a Risk Advisory Services Cybersecurity Article on additional Email Security Recommendations at:

About the Author(s)
William Heaven is a senior manager in HBK’s IT Department. He specializes in cybersecurity, IT security, external IT audit, internal IT audit, IT consulting, software development, IT governance, PCI-DSS, supply chain, system implementations and e-commerce.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.