14 Oct Supplier changed their bank details? Call them!
Has a vendor advised you that their bank account details have changed? Well, it may just be that it is a hacker behind the email.
One of the most common ways in which hackers are extorting businesses is by posing as a vendor advising you that their bank account details have changed. If you follow their instructions, you might be depositing money right into the hackers’ bank account.
This article highlights how hackers are doing this, so be aware of any bank account changes. We recommend that you not accept instructions by email and instead call the supplier to confirm the change. You may also want to question it if you receive a phone call from the supplier given anyone can call you claiming to be from that organisation.
HOW DO THEY DO IT?
If a hacker gains access to an email address of one of your suppliers, they can email you about changes to their bank account showing the hackers own bank details. They will then intercept any replies by you before the owner of that account realises so not to raise the alarm. They may also reply to you, thanking you for the confirmation.
This is a very simple but highly effective way of deceiving people.
So, what do you do when you get such instructions? The simple answer is to call them. Call your supplier and ask their accounts department to confirm if the bank account has in fact changed. If you receive a call about the bank account changes, call them back on their advertised number and ask for accounts to confirm this information.
In the context of a situation such as this, the term you may hear to describe this psychological manipulation of people into performing actions or divulging confidential information, is known as ‘social engineering’.
This scenario can also play out internally within your own organisation. Your business email address is a highly attractive target for online hackers especially if you are someone who approves purchases.
If someone in your organisation approves payment of invoices and their email account is hacked, the hacker will send you invoices approving them for payment. The invoice will of course include the hackers bank account details.
This situation is harder to control, given it is not practical to call the approver every time they send you an invoice. Instead, you need to be diligent about what is being approved. Is it a new supplier whose invoice is being approved? Is it a regular supplier but perhaps the bank account details have changed? Is it an unusual item of purchase? Again, make a phone call to confirm rather than send an email.
Of course, the best defence is that your organisation adopts Multi-factor Authentication so hackers can’t access your email account in the first place.
Small Businesses Beware
There is often a misconception that hackers don’t target small businesses. This can be dangerous and land you in a lot of trouble. You need to be aware that hackers will use numerous ways to access individual email accounts. Throughout the internet they spread various methods of communication including emails, so the hackers’ tools won’t discriminate based on the size of the organisation. They will take any email account they can gain access, including personal accounts.
They often spend their days monitoring email communication between people, looking out for someone who approves invoices. It might also be someone through their personal email account, asking their spouse to take care of a bill while they are travelling. They can get to anyone. Person, or organisation, large or small.
For management, be sure to communicate this information with your staff.
Be vigilant.