Increased access to electronic means of communication has improved the ability of business providers and their clients to exchange information quickly and efficiently around the globe. Unfortunately, however, this increased universal access has also increased the ability of cybercriminals to intercept important information in ways that were never before possible.
It is a largely unknown fact that email is an insecure form of communication. Despite securing the way you access your email, the way in which email at the backend is transmitted through the internet un-encrypted or, in “plaintext”, means that it can be read and/or modified almost at will by any skilled cybercriminal. As such, sending bank account numbers via email and relying on account numbers received via email to make payments is an inherently risky practice.
In recent times, insurance providers have seen a rise in claims from companies that relate to the hacking of email accounts where the end result has been funds being paid out to the wrong account as a result of email chains being intercepted by cybercriminals.
The common features amongst claims being received are that:
- They involve transmission of funds; and
- Communications relating to bank account details have been made by email only.
A common form of attack involves the use of malware (malicious software) with the ability to screen an individual or company’s email account for certain words such as “funds”, or “money transfer”. Once such activity is found, the cybercriminal then hijacks the account and impersonates the account holder, or modifies previously disclosed bank account details.
At Harkness Henry, we will only ever make payment to a client’s account where that client has provided us with either:
- An encoded deposit slip;
- A letter from their bank confirming the name and account number;
- A copy of a bank statement; or
- A screen shot showing the bank name, account name, and account number.
If you are engaged in business yourself, we suggest you engage the following policies:
- Never transmit your own bank account number to other people via plaintext email (unless in the form of a PDF attachment);
- Advise clients that you will never provide your account details in plaintext email, or ask that funds be diverted to another account prior to settlement due to auditing or other reasons;
- Always verify instructions to transmit funds by making verbal contact with the client.
It is near impossible to safeguard entirely against internet fraudsters, and such is the reality of living in a digital age where we are increasingly reliant on electronic communications. However, by employing the above policies and always taking a precautionary approach to email communications, you can mitigate the risk of becoming the victim of fraudulent activity.
Published: 19 July 2016