In the summer of 2017, an accounts payable employee at MacEwan University received an email that, at first glance, appeared innocent enough. The Edmonton-based institution was in the midst of a massive construction project, and one of its vendors requested a change in their banking information. What made this email particularly convincing was the fact that it bore the vendor’s official logo. But appearances can be deceiving. This seemingly harmless email led to a devastating discovery, highlighting the alarming prevalence of fraud in today’s business landscape.
It wasn’t long before the truth came to light. A few months after making the requested change, MacEwan University discovered that it had fallen victim to a phishing scam, resulting in a staggering loss of $11.8 million. This incident served as a stark reminder that email fraud cases, especially those involving Business Email Compromise (BEC), have become distressingly commonplace in recent years.
BEC fraud is a pervasive threat that can have devastating consequences for businesses of all sizes. They can be deviously subtle, with cybercriminals employing a range of tactics, but at their core, they all revolve around one simple principle: convincing you, or someone on your team, to transfer money through some form of payment or transfer. BEC is most sophisticated form of fraud.
According to a 2020 report from PwC Canada, a staggering 47% of Canadian organizations had encountered some form of fraud in the preceding 24 months. Payment fraud, in particular BEC, casts a long shadow over Canadian businesses, affecting a concerning 21% of them.
So, why do these payment frauds often involve scams like the one at MacEwan University? The answer, according to experts, lies in the flow of money within businesses. Most funds leaving a company typically pass through the accounts payable (AP) department, rendering it vulnerable and, unfortunately, attractive to unscrupulous individuals.
In the world of cybercrime that targets businesses, attackers employ various tactics, including:
- CEO Fraud: This ploy involves impersonating the company’s CEO or executive and coaxing someone in the finance department to transfer money to the attacker’s account.
- Account Compromise: In this scenario, cybercriminals hack into an employee’s email account, using it to request payments to fake vendors.
- False Invoice Schemes: This entails scammers masquerading as the supplier and directing funds to deceptive bank accounts.
- Data Theft: This tactic frequently targets HR personnel, aiming to acquire personal information about individuals within the company for future scams, such as CEO Fraud.
However, all is not lost. Experts concur that the most effective means of safeguarding your business from these fraudulent schemes is through awareness and vigilance. While enhancing your online security remains essential, the ultimate defense involves training your employees to recognize and prevent these threats.
Here are some proactive steps your business can take:
- Conduct Regular Audits and Reviews: Regularly scrutinize bank statements, monitor for duplicate payments, and maintain an updated vendor master file.
- Verify Vendors: Implement policies that verify vendor-related changes to invoices, bank deposit information, and contact details. Always cross-verify transfer requests received via email with phone numbers on file.
- Educate, Educate, Educate: Experts worldwide agree that education plays a pivotal role in avoiding phishing scams like the one encountered by MacEwan University. Invest the time and resources necessary to teach your staff how to spot phishing attempts and other scams. Encourage the use of robust passwords and periodic changes.
By implementing these proactive measures and fostering a culture of cybersecurity, you can significantly reduce the risk of falling victim to BEC fraud and other payment scams. Your business’s security should always remain a top priority.
At Telpay, we value the trust and safety of our partners, customers, and employees. As cyber threats evolve, we too remain proactive in our efforts to stay ahead of them. Our approach to security is all-encompassing, comprehensive, and based on industry best practices.