Cyber fraud is when there’s a theft through the computer. In a lot of cases, it is committed through email, writes Dawn Brolin at Accountingweb. Cyber fraud is about phishing—when somebody tries to obtain personal information (username, credit card, Social Security number or password, for instance) by pretending to be a trusted contact. Spear phishing is more targeted and occurs when somebody tries to obtain information about a company.
The ACFE reports that this is how people get into 70 percent of data breaches. Whale phishing is a form of spear phishing that specifically targets CEOs or high-level managers. These fraudsters learn as much as they can about the person who has the authority to transfer money and disguise their true identities in emails, scaring and deceiving administrators into acting.
On the topic of phishing, having a public Facebook account is one means of putting yourself at risk. Thieves can easily scope the site for business owners with the title “CEO,” become your friend and get an inside look at your life.
Steve King, author of The CEO’s Guide to Reducing Fraud, described his first-hand experience with cyber fraud, recalling a time when he received an email from his director of finance asking him to wire transfer $50,000. Steve responded, declining, and heard nothing back. When he spoke to the director in person, he had no idea what Steve was talking about. In addition to Facebook accounts, fakes utilize photos, emails, Twitter handles, LinkedIn profiles and other forms of social media to commit fraud.
One fraudster technique that Steve warned listeners against is the switching of digits in email domains. What would normally be “email@example.com” might be “firstname.lastname@example.org” if it is an imposter. It’s important to consider how to protect businesses, like individuals can be protected from cyber fraud.
Detect & Defend is an Intuit program I use myself that allows business owners to check their credit, monitors the dark web for information and sends an alert when a breach is detected. It offers 24/7, US-based customer service and costs $10 a month.
As Steve pointed out, the rules for a business are different than those for an individual. You only have 24-48 hours to contest an unauthorized transaction on a business account, whereas on a personal account, you typically have up to 30 days.
Safety measures such as having a resource to help stay on top of potential breaches or having somebody monitor transactions every day are critical. Sometimes, all it takes is a banking account and a routing number for a fraudster to prevail.
I once had an employee who did a decent amount of bill paying for me and received an email from “me” requesting something. Luckily, we caught it because we had an understood professional process which allowed her to quickly recognize what I would and wouldn’t ask her to do. Internal controls are the reason we picked up on the scam.
Steve noted that one key to maintaining a good control system is having a written policy that outlines what is acceptable behavior and clearly defines what employees could get fired for.
He also suggested training employees on what phishing scams are. There’s software mentioned in The CEO’s Guide (page 25 explores a range of defense methods) that allows business owners to send fake emails and test to see if employees buy into questionable messaging. Steve recommended KnowBe4.