Protecting Businesses from Email Impersonation Scams
This is the fifth article in a special series on financial crime. Previous entries can be read here, here, here, and here.
Just last year, businesses in Singapore lost more than S$43 million ($31.7 million) to business email impersonation scams after they were unwittingly duped into transferring money to foreign bank accounts for purported business payments. Wholesalers, suppliers and distributors—especially small-to-medium enterprises, which use email as their primary mode of communication—were found to be particularly vulnerable.
The modus operandi was similar across these crimes. At the outset, the criminals would identify their targeted victim and hack into either their email account or that of their suppliers. They would then do their homework by scouring through the existing email correspondence and by familiarizing themselves with the operations of the intended target. They would look out for email correspondence containing details of ongoing negotiations and discussions of sales or purchases. Through these emails, they would learn about their victims’ usual business partners, the business operations, and the roles and responsibilities of the employees.
Subsequently, the fraudsters would make their move by impersonating the supplier of the intended victim. They do this by creating a spoofed email address that looks similar to the supplier’s actual email. A spoofed email address often includes misspellings or replacements of a letter with a numeric character or vice versa, for example, the letter “i”/“l” is replaced with the digit “1.” These differences are not always apparent at first glance. The fraudsters then use this email account to send instructions to the victims to make payments to another bank account instead.
To make the email appear genuine, these fraudsters would even imitate the mannerisms of their email correspondence by copying the email signatures, business logos and messaging styles. Thinking that the email was really sent by the supplier, the victims would transfer the money as directed. Victims only realized they had fallen prey when informed later by their suppliers that they had not received the money. By then, the money would already have been sent to an account overseas and withdrawn, making recovery very difficult.
In 2016, a local company was almost swindled when it received an email it thought was sent by its overseas business partner. The company had previously corresponded with this supplier to purchase equipment and had an outstanding payment of $56,000. The email directed the company to make the payment to another bank account in Poland instead. As the two parties had been in a cordial working relationship for some time, the company did not doubt the authenticity of the email and dutifully made the payment as instructed.
It was only when they discovered minor discrepancies in the supplier’s email address that the company realized something was amiss. They quickly called their supplier to check and found out that they had not sent the email. Fortunately, in this case, the payment was successfully recovered as the company promptly lodged a police report and the funds were still seated in the foreign bank account.
While much is made of preventing cyber incidents and much money is poured into the endeavor, seemingly simple steps are often ignored.
However, successful recoveries represent an exception, rather than the norm. Chances of recovery diminish as soon as the money is transferred overseas and become slimmer the longer it takes for the matter to be brought to the attention of the authorities. If any business is affected by this scam, it should lodge a police report and contact its bank immediately to recall the funds.
How To Avoid Becoming a Victim
The Internet has cultivated a conducive environment for sophisticated criminals to operate and commit carefully premeditated crimes behind a veil of anonymity. However, by adopting some simple measures, one can avoid falling victim to such frauds:
Be mindful of changes in payment instructions
This fraud is premised on the victim being deceived by a fraudulent email to make fund transfers to an unfamiliar bank account. Devote extra attention to emails containing new or sudden changes in payment instructions. The following are examples of unusual payment instructions that should trigger alarm bells:
- When you are corresponding with a supplier in Country X but you received instructions to transfer payment to Country Y instead
- When you are corresponding with Company XYZ but you received instructions to transfer funds to Company ABC instead
If you receive such an email from your business partners, bear in mind that their email account could already have been compromised by criminals and any information in the email should not be relied on anymore. Do not contact your business partner via email and instead, call them via previously known and trusted phone numbers to verify the payment instructions.
Educate your employees about this scam
There have also been situations in which fraudsters compromised the email account of a senior employee of the company and tricked their staff into making urgent transfers to them. Hence, all employees should be made aware about the possibility of this fraud. In particular, employees responsible for making payments on behalf of the company should always remain vigilant. Likewise, if they have received any emails from their superiors to make and/or amend payment instructions to external parties, they should verify those instructions with the other party by calling them via known and trusted phone numbers.
Maintain strong passwords
To avoid having email accounts being compromised, all employees should have strong passwords for these accounts. Strong passwords include those with a mix of alphanumeric characters, punctuated with intermittent capitalizations. Enable two-factor authentication (2FA) when available. 2FA would require more than one type of information to grant access to your email account. For example, if your email account is logged in from another location, a one-time password will be sent to your registered mobile number or alternative email address and will have to be keyed in before access to your email account is granted.
Be wary of emails from unknown sources
Always exercise caution when opening and downloading attachments from emails that you are not expecting or have received from anyone you do not know. These attachments could contain viruses and other forms of malware that can infect and harm your computer.
Installing anti-virus software and keeping it updated is a good way to prevent malicious programs from operating and collecting sensitive information from your computers for the purposes of carrying out the fraud.
Easy Fixes; Easily Ignored
While these measures may seem obvious, it is surprising how often these are overlooked by companies and their employees, resulting in the increased possibility of business email impersonation scams. While much is made of preventing cyber incidents and much money is poured into the endeavor, these seemingly simple steps are easily ignored.
Companies in Singapore—and indeed elsewhere—will be well-served if the importance of these measures is reinforced and not lost in the drive to implement systems that can prevent against seemingly larger cyber incidents.
*To seek scam-related advice in Singapore, you may call the Singapore National Crime Prevention Council’s Anti-Scam helpline at 1-800-722-6688 or go to www.scamalert.sg to find out more about this scam and how you can protect your business from it.