Suppose you were leading a $20 million integrated marketing communications firm like me and your senior financial executive received the following e-mail:
“Elysa, let me know if you can process a same-day domestic bank transfer to a client. Please code it to professional services and confirm so I can send a note with details to the client. Thx. Steve.”
The e-mail address would be mine and, seemingly, it would appear to be just another routine request, right? Wrong.
What you just read is the latest CEO scam to plague large and small companies alike. According to a Financial Times article, some schemes have been as large as $90 million, with the average loss registering a sobering $120,000. I can’t speak for you, but an unexpected hit of that proportion would have a decidedly negative impact on my firm’s cash flow.
An FBI spokesperson said, “The ones you don’t hear about are the smaller corporations that (unwittingly) send $50,000. They’re saying, ‘I’m not going to make payroll, we’re going to close our doors as a result of the fraud.'”
And, here’s the kicker: Fraudulent e-mails from this new breed of cyber crook rarely set off spam traps because the bad guys take the time to understand the target organization’s relationships, activities, interests, and travel/purchasing plans. Ouch! Shades of Vladimir Putin.
So, what’s an unsuspecting entrepreneur’s CFO to do? Seeking answers, I asked Peppercomm client, Tom Geisel, EVP and President, Specialty Finance, whose responsibilities include Treasury Management at Sterling.
Here are his tips:
- Anticipate the normal behaviors of your executives. When your senior financial manager receives a payment request such as the one I described above, she should determine if the request follows your executives’ normal pattern of dealing with financial information.
- Confirm with leadership in a delivery mechanism that’s different from which it came in. When your CFO receives a request from “you” or another senior executive that seems unusual, he should confirm with the sender in a way that’s different from how the original request came in (i.e. Make a phone call, use a different internal messaging system, or just walk over to have a face-to-face chat). Most senior financial officers should have a way to reach the executive team directly. If yours doesn’t, implement one ASAP.
- Watch out for emails that have an attachment or links from new contacts. It seems obvious, but the cyber criminal’s attachment or link is commonly a gateway for attackers to get into your systems. Do NOT open it.
- Change the mindset: Anyone with a public profile should expect cyberattacks. Anyone with information in the public domain can be the subject of attacks, regardless of their use of social networks or privacy settings. Small businesses are no exception. Cyber crooks can simply go to your website, check out your CFO’s biography and figure it out from there.
- Set up regular training. Small to midsized companies should conduct regular cyber protocol training with any staff directly, or indirectly, responsible for accounts payable or receivables.
So how have we dodged the bullet? It’s easy. We’re a humor-driven organization in which we train every single one of our employees in stand-up comedy. In addition to enhancing presentation skills and improving the overall culture, our e-mails are almost always upbeat, friendly and personalized. I routinely insert some sort of joke in my notes to our financial executives. If they spot one that’s doesn’t include a sophomoric reference, they automatically know it can’t possibly be authentic. 🙂