ACH and Wire Transfer Fraud at Epic Levels
Recently there has been a significant increase in companies making unauthorized transfers. The attackers are very, very good at tricking people – often using multiple communications in order to build trust. You absolutely must take the following steps to help protect you and your organization.
Anything involving an ACH or a wire transfer request should immediately raise a huge red flag for every single user in all organizations.
We recommend you review your policies and consider the following. Please also forward this information at your discretion to your customers, prospects, and everyone with whom you do business:
If you receive any kind of communication, asking for an ACH or wire transfer to (your organization), it is a brazen attempt by fraudsters to steal money. Ignore requests sent via invoice, email, fax, snail mail, phone call, social media, text message, overnight letters, and by any other form of communication. Even if the communication contains logos and looks official, ignore it. If the wire transfer request provides a printed or verbal phone number to phone (your organization) to get approval, do not believe that phone number. It probably goes to a call center managed by attackers. You should always verify by calling the number you have on file, or the number listed on the customer or vendor website. Do not reply to any email messages. The reply is likely to go to the fraudsters. They will continue to bluff you. Please alert everyone in your AR department, and anyone else who has authorization to make wire transfers to never transfer money to (your organization).
And, of course, if you do business using wire transfers, notify them that if they ever see a request to transfer money, they need to call, by voice, a specific person at your office each time, a person you specifically identify to them ahead of time, at a specific phone number, to confirm the accounts and all details prior to transferring any money to you.
And, the request does not necessarily indicate you’ve been hacked. But – if the fraudsters know things such as your customer names, current projects, deals that are about to close, invoices, and any other similar information, you should suspect the possibility of a breach of you or the other party. If the fraudsters know when key people are out of the office, that should raise your level of suspicion even higher. The attackers stand to gain huge financial rewards when they successfully receive money wired to them, so they are willing to invest the time to infiltrate your systems in order to gather information that will make their fraudulent attack appear to be a legitimate request.
Please forward this message to everyone you care about. For some reason, companies just don’t think this will affect them, until it does. This is becoming a national crisis.