Latest Financial News from 
'Money Management'

 

Boyce Pty Ltd (AFSL 544077) ABN: 45 660 258 524

RSS

Compromising emails

Compromising emails

9 June 2016

What do you think it would take for someone to scam your business out of a significant amount of money? Hint: It doesn’t need to be a Mission Impossible-esque overly elaborate trap – it could be as simple as a well-timed email.

Acuity published a great article this month on an alarming new threat - go on, have a quick read here

The threat is called a BEC ‘Business Email Compromise’ and is basically where the attacker studies your business and then crafts an email to a person in control of the ability to transact on behalf of the business. The email is from a trusted source (solicitor, accountant, CEO, CFO) and asks the person to transfer a reasonable, but not overtly suspicious, amount of money in a short space of time or for an urgent reason.

Best case: your employee smells a rat, picks up the phone to the sender and asks for confirmation. The sender has no knowledge of the email and no money is then transferred.

Worst case: your employee is feeling under the weather, had four hours of sleep, has a cranky two year old and has a performance review coming up. They read the email first thing in the morning and, wanting to make sure they’re on top of things, action the email and transfers the money straight away.

Protecting your business from this sort of a threat relies largely on internal controls and employees being aware.

Here are some things to think about in your business;

Internal controls:

  • Always verify a change of email address, bank account or customer details verbally with one or more people.
  • Ensure you have a defined list of who can authorise transfers or payments of monies, to what amount, in what circumstances and with what source document proof.
  • Ensure that you have separation of duties between people that can create payments and those that can action the payment (relying on an audit trail of documents).

Employee awareness:

  • Make employees aware that this type of threat is out there (both at work and at home).
  • Always check the email address - look for misspellings or additional domains tacked on like commbank.l.com.au.
  • Be aware of ‘rush jobs’ or deadlines that seem unusual.
  • Have a policy in place so that if an email looks suspicious it's not opened and request verbal confirmation the business/person is required to confirm they really did send that email.

IT

  • Make sure you have inbound email scanning, this helps in removing more obvious viruses, malware and phishing attacks.
  • Ensure each machine has real time protection to stop a threat if it’s unleashed.
  • Keep your computers up to date; for both operating system and software. This helps to reduce the window where your computer is vulnerable to threats.

At the end of the day, the best protection your business can have is to have alert and informed employees who aren’t afraid to question something when it doesn’t add up.

For more information on this topic, please call Liam Smith, Business Systems Specialist at Boyce Dubbo on 02 6885 6499.

View More