/home/client/bank-of-canton/public_html/wp-content/themes/boc-responsive/page.php 15683

Impersonations That Are Bad for Business

How to protect your money from imposters

The following article appeared in the February 29, 2024, edition of the Canton Citizen newspaper, under the headline, “Impersonations That Are Bad for Business,” by Senior Vice President of Operations & Technology Charles Gaffney.

Celebrity impersonations can be great. Who didn’t enjoy the Christopher Walken Super Bowl ad, watching all the people he met doing their best Christopher Walken impersonation?

But today, for this Financial Fitness edition, we’re focusing on other types of impersonations that can be very costly and damaging for businesses: supplier impersonations and bank impersonations.

As the name implies, supplier impersonation scams occur when a business believes it’s interacting with a known supplier or vendor but is actually dealing with an imposter. The imposter might be trying to fool you into transferring them money, or possibly revealing information about your company’s systems or personnel to perpetrate a larger fraud.

This scam can unfold in several ways. Criminals can spoof a name and number on your phone’s Caller ID display, or alter the “display name” on an email to you. If you’re quickly scrolling through texts and emails on your phone, you might not notice that the sender’s information is slightly off.

What’s more challenging is when criminals compromise one of your suppliers’ systems. This can lead to a “man-in-the-middle” fraud, where communications between you and your supplier are intercepted, read, and possibly changed by the criminal before they reach the intended recipient.

Test yourself – try to spot the fraud tip-off in the example below:

You receive an email with an invoice for $60,000. The email is from a known and trusted supplier that just provided $60,000 worth of services. Moments later, a second email from the same sender & address arrives, stating they accidentally provided their old remittance instructions; they just recently updated their Accounts Receivable form and requested that you use their new attached form instead, which lists a different bank and account number. They apologize for the mix-up and sign off like they normally do.

The supplier is legitimate; the invoice amount is legitimate; the sender’s name and email address are legitimate.

That’s the problem – there is no clear tip-off. Under these circumstances, it’s easy to see how a business could send a wire transfer or ACH payment to the criminal’s bank account. Everything looks legitimate, and the pretense of having accidentally attached the wrong form is perfectly plausible.

Only procedural controls can prevent a man-in-the-middle fraud like this. For example, always telephone your business partners for verification when they send changes to their remittance information.

Bank impersonation scams also pose a serious threat. Last month, we notified our business customers about a recent scam targeting Paycheck Protection Program (PPP) loan borrowers. Although no Bank of Canton customers have reported being impacted, we learned from a cybersecurity watchdog group that scammers were referencing government-published PPP loan information and contacting the listed businesses, posing as their PPP lender (and presumed primary bank). A typical scenario:

You’re contacted unexpectedly by your bank, and informed there’s an urgent problem with your account (e.g., a wire transfer, payment or payroll problem). To fix the problem, they ask you for your online banking User ID, perhaps adding that it’s “just a security precaution” or “just to verify your identity.” Then they send you a security code. When it arrives, they ask you to tell them the code. (In reality, the scammer has initiated the “Forgot Password?” process for your online banking User ID, and the code they’re asking for is the password reset verification code that gets sent to your phone.) Armed with your User ID and verification code, the criminal resets your password and locks you out of online banking. They now have complete access to your accounts. You might be told that you won’t be able to access online banking “while they are fixing the problem,” but they are just buying time while transferring money out of your account.

Businesses can protect themselves from these scams and others by following these guidelines:

  • Never share account information, login credentials, or validation code texts with anyone. Banks will never ask for these.
  • Adopt accounting practices that require verbal confirmation for any changes to suppliers’ payment remittance information, including a trusted phone number and authentication questions.
  • Never allow remote access to your computer or mobile device to anyone who contacts you unexpectedly.
  • If you’re the slightest bit uncertain about the authenticity of someone you’re communicating with, or feel pressured to act immediately, stop the communication and contact the organization using a publicly available phone number. Do not use the contact information the other person gives you.

Additionally, your bank may offer fraud mitigation tools like positive pay that allow you to authenticate your checks before they’re paid and establish rules for ACH payments. In 2023 alone, positive pay helped Bank of Canton customers prevent more than $750,000 in attempted fraud.

Similarly, many banks also offer multifactor authentication (MFA) tools, which can detect abnormal login activity and require users to validate their identity by entering a one-time passcode before accessing accounts online. Ask your banker what security features might be available to you.

With thorough verification processes and a guarded approach to information sharing, you can protect your business from many forms of fraud.

Upcoming Events

There are no upcoming events at this time.