Businesses of all sizes, and in all industries, around the world are at risk of sending payments to fraudsters who pose as someone known and trusted by a company employee. This scam, called impostor fraud, cost U.S. companies $179 million from October 2013 to November 2014, according to the Internet Crime Complaint Center. And losses continue to mount as crooks get better at their impersonation tactics.
A scammer may claim to be the company’s CEO, CFO, a longtime vendor, or someone else whose name and position makes the scam believable. While impersonating this trusted business acquaintance, the scammer sends the company employee a fake invoice, payment request, or change in payment instructions. If the employee isn’t careful about confirming that the request is legitimate, the company will end up sending funds to the scammer.
There are two main variations on the impostor fraud theme. In the first, the fraudster poses as a company executive and instructs an employee to make one or more payments, usually by wire transfer. The scammer will do research in advance to identify the company’s typical payees, along with common methods for payment requests and acceptable amounts for each method, so that the email appears legitimate. In this type of fraud, the scammer often impersonates the CEO. Requests from the corporate CEO are less likely to be questioned than requests from lower-level managers, and some CEOs can be hard to get in touch with to verify such a request.
The other common form of impostor fraud involves impersonation of a familiar vendor. The business receives an email that appears to come from one of its suppliers or vendors asking the company to wire payment for a legitimate invoice to an alternative, fraudulent account. Sometimes hackers break into the email account of an employee of the targeted company, in order to study the pattern of payment requests. The hacker will then submit an invoice that looks legitimate except for subtle changes to the payment instructions. In a similar ruse, an employee of the targeted company or one of that company’s vendors may scan a real invoice, then use the scan to create a counterfeit invoice that directs the payment to his or her own account. Finally, some companies have experienced hackers breaking into the accounts receivable system of one of their vendors and generating a fraudulent invoice or payment request.
How They Pull It Off
To make impostor fraud work, a scammer takes advantage of certain common business habits, including the following:
- Companies are often willing to change a vendor’s bank account information based solely on an email, fax, or phone call that appears to come from the vendor.
- Companies may not require employees to authenticate this type of request by calling a trusted contact at the vendor.
- Executives’ requests often go unquestioned.
- Executives are often unavailable, so employees may be unable to quickly verify that a payment request from a particular executive is legitimate.
Some scammers set up email addresses that differ only very slightly from the email address of the individual they’re impersonating. For example, if an impersonated executive is JohnDoe@ABCAdditives.com, the employee targeted by the scam might get a message from JohnDoe@ABCAddiitives.com. Alternatively, the targeted employee might receive an email from JohnDoe@gmail.com.
Whatever email address an impersonator uses, if he or she sends an email to the company’s CFO while pretending to be the CEO, vigilance on the part of the CFO is the only barrier to a successful fraud. Suppose, for example, that the CFO receives a request for a $500,000 wire payment that appears to come from the CEO. The CFO replies to the email with questions about the payment. The trouble is that the real CEO is not going to receive those queries; the impostor will. If he or she can answer the questions without raising suspicion, the wire may be sent.
More sophisticated scammers sometimes get started by hacking into a company’s email network to study communication patterns and check calendars. Then, armed with that information, the fraudster will send emails from the actual email address of an authorized user—typically a company executive—when that user is out of the office. The scammer intercepts replies to the initial requests, perpetuating the scheme.
Email is a popular means of initiating impostor fraud, but it’s not the only means. Another approach is for the fraudster to call a company’s toll-free number and ask for the accounting department. The scammer will then make a payment request by phone, impersonating a company executive or a vendor, perhaps even sending a follow-up email to make the request look more convincing.
How to Avoid Impostor Fraud
To avoid being victimized by impostor fraud, a company needs to ensure that its employees are hyper-vigilant in abiding by corporate policies around the checks and controls of the procure-to-pay cycle. Widespread education is key. Companies must alert their staff and business partners about the myriad faces of impostor fraud.
Anyone at a company is a potential target. This includes managers, technology specialists, and trading partners. Research by Wells Fargo, and law enforcement reports, suggest that bogus emails tend to have some common characteristics. All employees who touch the payments process should watch for:
- requests to send payments to new accounts or new destinations, especially accounts outside the United States;
- emails coming from a public email address, such as @gmail.com, rather than from the usual company domain (e.g., @company.com);
- subtle spelling changes in an email address;
- emails in which the writing tone, style, or word choice seems out of character for the individual who supposedly sent the message;
- requests for secrecy around a payment; and
- any request to remit payment to an individual.
Employees need to verify every single payment request they receive; this is the most crucial step they can take to avoid being scammed. Requests submitted by mail, fax, or email should always be verified with a phone call. Conversely, requests that come in by phone require verification by email. Another important control is to have employees always verify payment requests using the contact information the company already has on file. Employees completing due diligence should never use the contact information that comes with the request, because it might be fraudulent.
One more way to help spot any fraudulent payment requests is to require dual custody. Having two employees verify every payment doubles a company’s chance of catching fraud before damage is done. However, for dual custody to work, wire initiators and approvers must all pay close attention to wire details. The best practice is to have both the initiator and the approver verify the authenticity of a request before the payment is initiated.
Some companies prohibit their executives from requesting payments via email, in order to guard against impostor fraud. Others have used this threat as a motivation to move to daily account reconciliation. When accounts are reconciled daily, unauthorized transactions or unusual activity can be spotted sooner.
In addition to considering changes to corporate payments policies, an organization aiming to prevent impostor fraud must empower its staff members to question every payment request. If executives and managers react with irritation when an employee questions their payment requests, they may undermine the company’s efforts to prevent impostor fraud. Instead, companies need to let employees know they are expected to probe for verification and details anytime they receive a new request for payment or for a change in account information. It’s also a good idea to let vendor partners know about the dangers of this type of scam, and that the customer company will be taking extra steps to validate requests for changes to remittance information, or any other questionable activity around invoices.
Wells Fargo has created a series of guides to support companies educating their staff and business partners about the risks of impostor fraud. Talk to your partner banks about the risks, and if you suspect your organization has been the target of an impostor fraud scheme, file a complaint online with the FBI using its Tips and Public Leads form. The good news is that when a business detects a scam quickly, its bank can expedite recovery efforts. The key is to build an expectation of vigilance at every level of the organization.
Secil Tabli Watson is an executive vice president and head of Wholesale Internet Solutions at Wells Fargo. She leads digital channels for Wholesale Banking, responsible for supporting more than 80 business applications and guiding the strategic direction of Wells Fargo’s award-winning Commercial Electronic Office (CEO) customer portal.