A university just paid $12m to a fraudster. Prevention would have been easy.
This week THE STAR EDMONTON ran a story on a Canadian University that shelled out $12,000,000 to a con artist. It’s not a surprising story to anyone in the IT industry: we see these (attempted) cons all the time. In this case, the con artist spoofed an email address and sent an email to the University’s accounting department asking them to pay for a project to a different bank account than usual.
The most common way we see this is when a con artist contacts an office or financial manager and shows a “FROM” address as a CEO or other high level exec, such as firstname.lastname@example.org, but then direct replies to another account, such as email@example.com. A more complicated version of this is to register a similair domain and send out emails from it. For instance, firstname.lastname@example.org, email@example.com firstname.lastname@example.org, email@example.com.
The second version can be wildly successful because your brain automatically corrects small spelling errors as it reads. The oddities never even rise to a conscious level.
So how do you guard against it?
There are three steps we recommend to everyone:
- Raise awareness. Make your employees know that this fraud happens every day.
- Test staff. Send out faked fraud emails and which are your employees are vulnerable (we think this is so important we include it in our managed services offering)
- Pick up the phone. Whenever you’re dealing with a change in accountants, or request for money, pick up the phone and call the person who requested it. (Use the number you have on file, NOT the one in their email signature!) That’s one of the easiest ways to catch scams.
Finally, do not think that this can’t happen to you. $12,000,000 made the news because it’s a lot of money. These scammers tailor the amount to the organization: we routinely see churches targeted for $5,000.