In her latest Fraudcast, Dawn Brolin, CPA, CFE and CPA Stephen King got into a deep discussion about cyber fraud.
I reminded listeners early on about Steve’s new GrowthForce webinar, which you can check out through the link on the podcast’s page. The webinar coincides with his publication The CEO’s Guide to Reducing Fraud, a Brolin-approved resource where details on cyber fraud can be found on page 11.
Content seriesView full content series
To get our discussion under way, I asked Steve to give a rundown on the hot issue.
Cyber fraud is when there’s a theft through the computer. In a lot of cases, it is committed through email. According to Steve, cyber fraud is about phishing—when somebody tries to obtain personal information (username, credit card, Social Security number or password, for instance) by pretending to be a trusted contact. Spear phishing, he told us, is more targeted and occurs when somebody tries to obtain information about a company.
The ACFE reports that this is how people get into 70 percent of data breaches. Whale phishing is a form of spear phishing that specifically targets CEOs or high-level managers. These fraudsters learn as much as they can about the person who has the authority to transfer money and disguise their true identities in emails, scaring and deceiving administrators into acting.
On the topic of phishing, having a public Facebook account is one means of putting yourself at risk. Thieves can easily scope the site for business owners with the title “CEO,” become your friend and get an inside look at your life.
Steve described his first-hand experience with cyber fraud, recalling a time when he received an email from his director of finance asking him to wire transfer $50,000. Steve responded, declining, and heard nothing back. When he spoke to the director in person, he had no idea what Steve was talking about. In addition to Facebook accounts, fakes utilize photos, emails, Twitter handles, LinkedIn profiles and other forms of social media to commit fraud.
One fraudster technique that Steve warned listeners against is the switching of digits in email domains. What would normally be “[email protected]” might be “[email protected]” if it is an imposter. It’s important to consider how to protect businesses, like individuals can be protected from cyber fraud.
Detect & Defend is an Intuit program I use myself that allows business owners to check their credit, monitors the dark web for information and sends an alert when a breach is detected. It offers 24/7, US-based customer service and costs $10 a month.
As Steve pointed out, the rules for a business are different than those for an individual. You only have 24-48 hours to contest an unauthorized transaction on a business account, whereas on a personal account, you typically have up to 30 days.
Safety measures such as having a resource to help stay on top of potential breaches or having somebody monitor transactions every day are critical. Sometimes, all it takes is a banking account and a routing number for a fraudster to prevail.
I once had an employee who did a decent amount of bill paying for me and received an email from “me” requesting something. Luckily, we caught it because we had an understood professional process which allowed her to quickly recognize what I would and wouldn’t ask her to do. Internal controls are the reason we picked up on the scam.
Steve noted that one key to maintaining a good control system is having a written policy that outlines what is acceptable behavior and clearly defines what employees could get fired for.
He also suggested training employees on what phishing scams are. There’s software mentioned in The CEO’s Guide (page 25 explores a range of defense methods) that allows business owners to send fake emails and test to see if employees buy into questionable messaging. Steve recommended KnowBe4.
Another preventative must-have is double authentication. Invest in resources like SmartVault to get text or voice confirmations. Employ anti-malware services like Bitdefender, Malwarebytes, and Emsisoft for further protection. Emails are wildly susceptible to corruption, so don’t assume they’re legitimate.
In the end, Steve reminded us that cyber fraud doesn’t just appear in the form of a suspicious Nigerian prince who wants to transfer money into your bank account. It may seriously present as a client or reliable source, but a red flag can be as small as a British spelling of a word sent by a Texan. Keep an eye out for dialect blips. When you notice something that just doesn’t feel right, don’t ignore it.