We hear this kind of story from wholesalers like you over and over again.
They breach your company email and then just sit tight, sometimes for months, and you have no idea they are watching. They learn your business practices, watch your vendors’ and factories’ correspondence, understand your employees’ internal roles and your payment processes. Then one day they hit you up for an average size factory payment for your company, an amount that won’t raise eyebrows. In a flash you are out a hundred, two-hundred thousand dollars or much more, which won’t be easy to recover.
How These Poser Attacks Work
- Using phishing techniques hackers breach your company emails
- They observe your company emails for a while
- Eventually they pose as you (wholesale exec), one of your employees, or one of your vendors. They use an email address that is almost like the real thing with a small imperceptible difference so that the real person won’t get the replies.
- They request a wire transfer to a new account using forged versions of a real vendor invoice
- Or they make a request for payment from the exec to an employee. They will include all normal “backup documentation” and “internal approvals”.
How to defend against these attacks
Process protections are paramount because you may not know your tech has been compromised until the money is already gone.
- Process protections
- When a new vendor is being set up for payment use the phone or a secondary non-email secure messaging service to approve wire payments.
- Use the phone or a non-email secure messaging service to contact your vendor if they request that you pay a new or different account.
- Internally, use “forward” instead of “reply to” whenever approving a payment. That will force you to type in the correct email address.
- Ask your financial institution about their international wire security practices.
- Set up “no exceptions, no short cuts, fail safe” processes around payments so that employees don’t surrender to real-time pressures to cut corners.
- Tech protections
- Review your protocols and security to defend against BEC hacking with your IT professionals.
- Increase email security and utilize multi-factor authentication where practical.
- Use an email service that alerts you when an email is being sent outside your company or when the sender’s email address doesn’t match the reply to.
Be careful. This is happening successfully to many in the industry.
There are other ramifications of these BEC scams that can effect many other areas of your business. Here are some other links with more information on how these scams work and how to protect yourself.
Wholesale Executive Insider is a publication dedicated to helping owners of wholesale companies stay up-to-date with the latest industry insights to improve their operations and increase their bottom line.
Our team has in-depth industry knowledge and a network of solution providers that help wholesalers run their businesses more efficiently to maximize profits. If you’d like to get free advice and recommendations on avoiding chargebacks and more, feel free to book a time to speak 1-on-1 with one of our knowledgeable industry advisors today!