With an uptick in sophisticated phishing attempts and business email account compromise, likely tied to artificial intelligence capabilities, organizations should review controls to prevent invoice fraud and payment redirection scams. Recommendations to prevent falling victim to financial scams include:
- Annually review the organization’s insurance coverage and requirements as they relate to social engineering-caused loss and financial fraud.
- Require a second means of verification for any payment requests. (Example: if an invoice is emailed, call the company via a known valid phone number to confirm the bill)
- Require a process for verification for any staff bank account changes. (Example: in-person verification)
- Require review from a second staff person prior to sending payments or updating payment accounts
- Require that these verification processes be documented every time financial staff complete them.
- Provide financial staff with ongoing training on business email compromise, smishing, vishing, and on the procedures for verification of any payment or bank account change requests.
- Schedule ongoing phishing simulations with financial staff, related to business email compromise, pay, and invoice fraud.
- Use phishing-resistant multi-factor authentication for all financial staff accounts.
- Establish a process for financial staff to inform technology staff of suspicious email messages or other communications.
- Remove any publicly posted contact information for financial staff. If a public means of contact is required, handle public communications via one general address, with staff who manage this contact method trained on phishing concepts.
Reporting Financial Fraud Attempts
Report fraud attempts to the Federal Trade Commission via https://reportfraud.ftc.gov/
Contact your region’s law enforcement Fusion Center if a scam involves requests to send payment to a cryptocurrency wallet. (Missouri is served by the St. Louis Fusion Center, the Missouri Information Analysis Center, and the Kansas City Regional Fusion Center.)