email phishing fraud a new reality *





“Dear Friend, you may be surprised to receive this message from me because you dont [sic] know me in person, but for the purpose of introduction, I am Mr. ….”

I would be hard pressed to find a single person within my circle of personal and professional acquaintances who has not received an email that starts off with similar words.

While some of us respond to such electronic nuisances by hitting the ‘delete’ button, perhaps even with our eyes closed, it is shocking how many individuals and organizations are victimized by these seemingly legitimate emails.

“Please wire $100,000 to the following bank account. This is an urgent request that needs to be completed immediately.”

Depending on the level of sophistication of the perpetrators, such requests are often received through an email, purportedly from the CFO or another senior executive within your organization — or so you think. The request is often marked urgent, leaving little time to ask any questions, only to find out that the email did not actually come from the CFO. By the time someone figures this out, the money has likely been wired offshore and is now gone, with minimal chance of recovery.

When this occurs within an organization, it raises the obvious question: Who is in fact responsible for this event? Should the employee in question have been able to transfer these funds without any documentation other than the email? Is an email (real or fraudulent) from the CFO sufficient for a significant amount of money to be sent, whether or not the recipient is on an approved vendor listing?

Email phishing and wire transfer frauds are becoming increasingly common in today’s technology-centric environment. By creating a fake email address that resembles that of a senior executive, an individual who is used to receiving ad hoc requests like this — outside of any process or control — may not notice; at least that is what the fraudsters are banking on.

Oftentimes a letter is either added to or removed from the domain — an extra “i” or one less “l” goes unnoticed. The wording of these requests is often very similar to the wording of legitimate requests so the recipient does not become suspicious.

Here are several tips to help you avoid being victimized by email or phishing frauds:

  • always review the email address of the sender closely, particularly when you hit “reply” (as the fictitious email can be disguised)
  • consider whether the person making the request is on vacation or would normally be making such requests
  • if the vendor is not already in the company’s vendor master file or documentation is absent, this should be an immediate red flag
  • always ask questions when asked to transfer money urgently
  • double check if the transaction request is larger than normal
  • implement controls such as a dual authorization requirement and set limits for wire transfers
  • It is always better to ask questions before and prevent a problem, than to ask for forgiveness after because you’ve caused a problem.

* This article was originally prepared by Karen Gordon for the CPA’s Forensic & Investigative Accounting Blog and has been reproduced here with permission from the Chartered Professional Accountants of Canada.

Previous post:

Next post: