Please be aware when making large payments online, when seemingly instructed to by company management.
A few weeks ago we had a call from a customers employee who had been asked to make a £20,000 payment to an account by their company director.
The email came from the company directors account, mentioned the their name and which bank account to use. It even looked like many previous emails that had similar instructions to this member of staff.
The only problem was - the company director didn't send it.
Thankfully, their online bank was down at the time, so the employee spoke to the company director on the phone first only to find out they knew nothing about the payment request.
After connecting to the company directors email account, we noticed some rule settings that deleted any new email so we realised the account had been compromised and locked the account down.
We also found emails in the sent items folder that had been sent out to every contact in their address book. These emails had a link to open a PDF document from Dropbox.
If the link was followed, it took them to a page that looked like Dropbox but asked you first to enter your email address and your password to access the file.
It turns out that the company director had received such an email an hour earlier, followed the link and inadvertently entered their details. Within 15 minutes, the scammer had logged in, copied previous payment instructions from the sent items folder and then sent a fake one out. They then sent out the same link to 400 of the company directors contacts.
The client almost lost £20,000. The bank would not have refunded the amount as it would have been classed as a genuine payment instruction from the customer.
How to avoid these scams
• Consider using two-factor authentication (security requiring a password and a code from a mobile phone) for logging on to important systems such as your main email, and any system dealing with money (e.g. Paypal)
• Always check any unusual payment requests directly, ideally in person or by telephone, to confirm the instruction is genuine. Do not use contact details from the email.
• Establish a documented internal process for requesting and authorising all payments and be suspicious of any request to make a payment outside of the company’s standard process.
• Be cautious about any unexpected emails which request urgent bank transfers, even if the message appears to have originated from someone from your own organisation.
• Ensure email passwords are robust and unique. Don't reuse passwords on multiple accounts.
• Consider whether the email contains unusual language or is written in different style to other emails from the sender.
• Never enter your email address and password on a page you have never accessed before.
• When clicking on a link to a page, check the URL address matches the actual company name.
• If you are in doubt about anything, please give us a call and we will be happy to investigate.