By Ray Rogers, AINS – Senior Claims Examiner
Here’s a scary question: how do you know who really sent that email?
Over the last few years, we have had an increase in claims involving misdirection of payments. These scams are deceptively simple. A cybercriminal clones the email address of a business vendor, then uses that clone to send the businesses that vendor works with their usual invoicing – but with one significant change: the routing number. The business pays the invoice, thinking they are settled up with that vendor, when in fact the payment went to the cybercriminal.
However, the money goes directly into the cybercriminal’s account, with predictable results. The vendor thinks the business is past due, and the business has to pay the invoice twice.
In addition, we have also seen a couple of cases where the cybercriminal cloned the email of a Chief Financial Officer. Using that clone, the cybercriminal sent emails to the CFO’s company to pay fake invoices from a legitimate company with which the company does business. As in the scenario described above, the notable difference was the routing number.
These criminals exploit a basic aspect of healthy business relationships: trust. The vendor trusts the customer to pay their bills on time and the customer to have their invoice payments issued without question.
Many of the misdirection of payment claims we have seen originate in China or Hong Kong. That may be the origin or the first of many bank accounts the money runs through before stopping in its intended place.
There is currently not any coverage for these types of losses under our insurance policies. We recommend putting procedures in place to keep this from occurring at your business. Here are four examples:
- If a vendor’s routing number changes from one invoice to another, call the vendor to verbally confirm the change. It is important to call rather than email in case the vendor’s email has been compromised.
- Set up a process that works for you and your vendor for confirmation of any changes involving payments before any invoices are issued. If you receive an invoice with a different routing number but the vendor did not follow the agreed upon process, you can wait to make the payment and follow the above confirmation procedure.
- To safeguard against misdirection scams involving senior executives, establish with your bank a procedure for approving large payments. Any payment over a certain dollar amount must be approved by the CFO or another leader with financial authority. Often, the bank calls their cell phone before releasing the payment.
- If you suspect a misdirection scam, alert the vendor being impersonated that their email system has been compromised. This helps them take necessary steps to decrease the odds of it happening again.
Cybercriminals will keep inventing new ways to scam, steal and sneak into your systems. Communicate regularly with your IT services department or contractors on how to try to stay one step ahead of them. Being proactive minimizes the chances of this happening to you.