Protect Yourself from Holiday Email Scams
With the holiday season approaching, Kotapay is reaching out to businesses we serve to be on the lookout for email scams. Fraudsters often take advantage of the holiday season to gain information from social media or “out of office” messages from company employees. Once employees are away from work and enjoying time with friends and family, fraudsters use the compromised email account to send emails that direct employees to send money or gift cards, or to update payment instructions.
According to the FBI, there were $2.4 billion in losses due to these types of business email compromise frauds in 2021. And payments experts estimate that these numbers are likely underreported and undercounted due to the difficulty of recovering funds when the fraud is reported. Also, many businesses and individuals do not report this type of fraud because of embarrassment or reputational risk.
Awareness and education are the best way to stop these fraud attempts. We hope that as businesses and employees prepare for the holiday season, they take the recommended steps below to protect themselves. If a business or its employee does become a victim of one of these scams, contact Kotapay’s Risk/Fraud team immediately for additional information.
Kotapay recommends businesses follow these steps to protect themselves from business email compromise:
• Educate and train employees to recognize, question, and independently authenticate changes in payment instructions, payment methods (e.g., ACH to wire), or when pressured to act quickly or secretively.
• Be old-fashioned! Verbally authenticate any changes via the telephone.
• Review accounts frequently.
• Initiate payments using dual controls.
• Never provide passwords, usernames, authentication credentials or account information when contacted.
• Don’t provide nonpublic business information on social media.
• Avoid free web-based email accounts for business purposes. A company domain should always be used in business emails.
• Consider registering domains that closely resemble the company’s actual domain to make impersonation harder.
• Do not use the “reply” option when authenticating emails for payment requests. Instead, use the “forward” option and type in the correct email address or select from a known address book.