On October 13, 2016, an employee at Color-Ific, LLC received an email from his CEO (who was away on business), with a vendor invoice attached. The message asked that the employee proceed with getting the invoice paid. Per the company’s usual process, that employee scheduled a wire transfer in the amount of $38,740 to pay the bill.
Later that day, when he spoke with the CEO on the phone, he let his boss know that the request had been handled. The only problem: The CEO hadn’t actually sent the email, and there was no legitimate invoice to be paid at the time.
Color-Ific immediately contacted its Fifth Third Bank Relationship Manager, who reported the incident to the bank’s Fraud in Progress team. The case quickly progressed to our Investigations team, which went on to issue a recall on the funds. Thankfully, a full recovery was made on the very same day.
What really happened?
Color-Ific’s emails had been mimicked, with thieves re-creating the design and format of the company’s messages. Then, the con artists set up an external, spoofed email account using the CEO’s name, but with a minor misspelling. Since the company commonly managed payment processing via emails to each other, the employee proceeded with payment, and never noticed the difference.
NOTE: The type of fraud experienced by Color-Ific frequently occurs when CEOs or other managers are traveling. Fraud perpetrators can learn about travel schedules from social media and business networking posts, PR efforts, and more.
Fact: According to Security Week, the most compromised email is the CEO’s (31%) and the most popular recipient of the compromised email is the CFO (40%).
Lessons Learned: Minimizing Risk
Many businesses of all sizes fall prey to email hackers every day. And many corporate fraud cases are the result of fraudulent emails being sent between employees of the same company.
To reduce your risk, consider this:
Keep a close eye on emails. Are the names of both the vendor company and its representative spelled correctly? Is there any variation as compared to their usual messages? If so, give them a quick call.
Determine a payment threshold — an amount that you can afford to lose, if it turns out a payment request is fraudulent — and communicate that threshold to employees in the payables department. Any time a payment request comes from anyone with an amount that is higher than your pre-determined threshold, employees should verify the request by phone or an in-person conversation before submitting payment.
“In these kinds of cases, timing is everything,” says Brendan Smith, Manager, Commercial Fraud Risk at Fifth Third Bank. “About half of them involve some amount of loss for our customer — though we often recover at least a portion of their funds. The quicker the fraud is caught, the better our chances of recovery.”
*This is an actual case study from a Fifth Third Bank client. The company’s name was changed to protect privacy.