How to avoid phishing scams when making wire payments
While wire transfer fraud once involved the unwitting transfer of money to “struggling relatives” or fake government entities, the digital age has opened a whole new battleground for cybersecurity and asset protection. Attacks like phishing, spear fishing, and whaling are now commonplace in large corporations and small businesses alike. In the context of vendor payments, phishing attacks are fraudulent attempts to steal money by disguising oneself as a trustworthy entity in electronic communication to convince a payee to send funds to a fraudulent bank account. Similarly, whaling attacks target high-ranking individuals within a company, while spear phishing targets any individual using the same methods. These scams are on the rise, particularly following the onset of COVID-19, as more people work remotely and communicate via email.
Wire transfers are often the most susceptible to fraud because they are the hardest to reverse. Unlike ACH payments or credit card payments, which have a dispute and reversal process, wire payments can almost never be reversed. This is especially true in the case of fraud. A wire reversal, rare as they are, requires cooperation from the sending and receiving bank. But perpetrators of wire fraud typically remove the money immediately after transfer, leaving the victim with no recourse.
Scammers are becoming increasingly sophisticated at impersonating vendors — many of which are legitimate vendors used by the victims. Business email compromise (BEC) is on the rise, and phishing emails are becoming more prevalent and harder to combat. Cybercriminals will create fake email addresses that look nearly identical to those of the legitimate vendor, or sometimes even hack vendor email accounts to change payment instructions. They often use elaborate schemes that incorporate phone-based manipulation and alteration of invoices to trick unsuspecting payees.
Below are a few best practices to follow to avoid phishing and wire transfer scams:
Best Practice #1 - Recognize when you’re being phished via email
Often scammers will appear to be a known contact (business partner, vendor, coworker, or even family member) in order to retrieve sensitive information from you. They'll do this by spoofing the email account of a trusted partner. Spoofed emails may include the following aspects, which should direct you to be more conscious of phishing:
- Requesting a payment transfer — especially with a fake invoice
- Asking you to click on a website link
- Asking for sensitive or personal information (i.e. SSN, DOB, personal address)
- Asking for account information
- Saying they’ve noticed suspicious activity on your account and request that you verify information
Triple-check sender email addresses, especially when you notice red flags in the body. Oftentimes phishers will alter an email address by one minor character — like replacing an ‘I’ or an ‘l’ with a ‘1’ — so the recipient assumes at first glance that the message is from a trusted address. If you’re not sure whether the email is legitimate, ask. Reach out directly to the vendor via private message or a phone call confirming that they sent the correspondence and made any ask therewithin.
Best Practice #2 - Minimize wire payments
Wire payments are typically used only when money needs to be sent immediately, and very infrequently for vendor payments. Brex data shows that domestic wire payments represent only 14% of total payments sent, and only 24% of total dollars sent. Therefore, if a supplier makes a wire transfer request, the best practice is to ask to pay via ACH or credit card, as those methods offer you more protection against fraud scams. Only large financial transactions (such as loans and investments) are typically paid via wire. Otherwise, there is little reason to use wires for vendor payments.
Best Practice #3 - Confirm wire payments over the phone
Given the irreversibility of wires and the frequency with which fraudsters target this payment method, it is best practice to confirm wire instructions over the phone with a vendor. Specifically, this means call the accounts receivable contact at the vendor and review the wire instructions with them (routing number and account number) before sending the payment. Vendor phone numbers are typically available online and it’s best to use the vendor’s website to call to confirm, rather than a signature line of an email - as emails and their signatures are easily hacked and altered. Sending your vendor contact a new email asking for a phone number is a good alternative to replying to an email, to make sure you are not accidentally corresponding with a scammer. (Of course, an email hack at the vendor will not prevent this, but it is still preferable as there are many types of scams). If you have a previous relationship with the vendor, you should have all of the appropriate contact information to reach out to them directly.
Best Practice #4 - Be highly suspicious of a change in wiring instructions
It is very uncommon for a company to change bank accounts for vendor payments. While it does happen from time to time, be on heightened alert when you are informed of a change, as this is the most obvious sign of a potential scam. In the event that you are informed of modified wire instructions, carefully inspect the email and invoice for evidence of any tampering, suspicious language, or alterations. Scammers often use language that slightly differs from the communication style of the person they’re impersonating, and they might also doctor invoices or wire instructions in a way that is noticeable to the discerning eye. If wire instructions have changed, immediately call the vendor to confirm the change before releasing a wire.
Best Practice #5 - Be wary of foreign banks
Unless your vendor is foreign, it is highly unusual for vendors to use a foreign bank to collect payments for domestic services. Phishers and scammers often use foreign banks in their fraud schemes because doing so makes it even harder for victims to recover their funds. As a best practice, when you notice a foreign bank as part of a vendor payment, confirm the bank information for the service provided.
In today’s digital world, it is more important than ever to protect yourself, your company, and your assets from individuals who are actively looking to take advantage of complacent users. Be on high alert, especially when dealing with funds, and don’t hesitate to double- and triple-check with your vendor when you see something suspicious. Fraudulent wire transfers can devastate a company, if not tying it up in legal battles. With the evolving landscape and its many unknowns, it’s better to be over-alert than under-prepared when it comes to fraud prevention. The success of your company could depend on your vigilance.