Typically, hackers intercept online correspondence and re-route electronic transfers making large sums of money effectively disappear. It starts with cyber criminals illegally accessing the email accounts of both the businesses and customers. They intercept the correspondence, replacing the bank details of the payee with different bank details. When the funds are transferred in the usual course of a transaction the money is sent to the criminal’s own bank account. From there it is rapidly dissipated between dozens of other bank accounts. In a matter of minutes a large sum of money can effectively disappear via this simple email fraud.
The fraud is made easier because, although most people are careful with their bank or financial passwords, they tend to be more relaxed about their email accounts. Passwords are often predictable and rarely changed. Hackers have a host of tools and strategies available to them to crack simple passwords, particularly where the same one is used across a number of accounts or in online shopping transactions. Because hackers attack at the most vulnerable point, the email account, they bypass the need to hack the better defended financial or bank systems.
Only the very astute would ever suspect there was anything wrong. The offending invoice or bank details invariably appear to come from the genuine business involved in the transaction. Hackers are extremely sophisticated and are able to forge documents so that they appear identical with just the account number of the bank details changed. Access to the email correspondence leading up to the transfer also means that they time their invoice perfectly. It appears just ahead of the genuine one, exactly when the client was expecting it.
To the unsuspicious eye there appears to be nothing untoward going on. Yet, in a matter of minutes the transfer will have been redirected while the legitimate invoice remains unpaid. Sometimes the first the victim knows of the email fraud is when the genuine invoice appears in their inbox.
This email fraud scam affects clients who are receiving as well as transferring funds. To provide the best defence against this type of criminal activity we recommend the following precautions:
- Change your email account password regularly;
- Avoid using the same password for online shopping transactions. The more frequently the same password is used, the easier it is to hack;
- Only send invoices or sensitive information by email if it has been encrypted i.e. password-protected;
- Double-check the sort code and account number with a verified contact directly by phone. Emails could be intercepted and false confirmation sent as part of the scam;
- With large transfers, send a small instalment first to ensure that the funds have been received and the recipient’s details are correct, before following up with the balance;
- Consider using payment methods which require additional verification of a recipient’s name/account name.
Email fraud costs millions every year. Businesses are able to have a degree of protection through cyber insurance. As the threat increases, the insurance industry has been working hard to keep pace in order to offer business owners appropriate cover. Compliance with the government-backed Cyber Essentials scheme is a minimum requirement for commercial cyber insurance.
As for private individuals: There is a specific Insurer that offers cyber cover as an extension to a household policy so please do discuss your requirements with your broker. Valuable advice can also be obtained through the Cyber Essentials scheme.