The failures of two boutique banks (Silicon Valley and Signature Bank) recently present a unique cyber risk issue that should be addressed immediately.
The first is that cyber threat actors are stepping up social engineering attacks using these bank failures as an opportunity to trick your finance team into (paying fraudulent invoices).
As is expected there will be a (huge volume of communications) about banking information between you and your customers, vendors, and other payees.
Since hackers will know that many companies and organizations will send and receive requests to change payment instructions in the coming days, they will be stepping up their efforts to exploit the situation.
In fact, one of our insurers has observed a large number of new website domain registrations with names that are similar to bank login pages which will likely be used in phishing campaigns.
DON’T BE A VICTIM!
You may think, (it will never happen to me, I know better, or I won’t be tricked). Unfortunately, that’s what a lot of other executives have thought and they got duped and lost a ton of money. In many cases, our clients had the right insurance to cover it but still had to pay out of pocket a significant deductible to be made whole.
What’s the solution for this cyber risk issue?
If you get a request to change banking information from a vendor, bank, customer, or other third parties you should be taking the following steps:
- Verify all requests for updating payment or banking information by calling a known phone number. do not call the phone number provided in the email as this may be answered by the hacker trying to trick you.
- If you don’t have a known phone number for the requestor, then go to their website and call the main phone number on the web, and asked to be routed to the appropriate department to verify the authenticity of the change.
- Confirm receipt of a test deposit such as $5 to that new account information prior to making a permanent change.
- For an added level of security if these steps were not conducted by the owner of the business, then the information should be brought to the CEO or owner for them to re-verify the contact info prior to authorizing the switch and the payment.
Do not be rushed by third parties requesting changes. We have seen instances of hackers goading the bookkeeper into making changes in haste to satisfy some false narrative.
Someone else’s urgency is no reason to relax or avoid proper security practices in preventing any cyber risk issues.
It’s better to delay a payment than accidentally sending your funds to a fraudulent hacker.
Finally, now is the time to retrain employees and give them a renewed sense of urgency and vigilance on this subject.
Hackers are extremely adept at impersonating your vendors, colleagues, and business contacts, be aware and don’t fall into their trap.
Have other questions regarding cyber risk, or cyber security?
My contact information is in the description box below and I welcome the opportunity to chat.