Over 100,000 social engineering attacks are launched everyday on businesses of all sizes, according to a large national insurance company. 

An accounts payable employee receives an email that appears to be from a vendor requesting that payment be made to a different account due to an on-going audit.  The payment is made to the new account number.  It is not until the company receives a past due notice and calls the vendor do they learn the vendor’s email account had been backed.  The email sent with the new payment instructions was fraudulent!

This surprisingly successful tactic works every day on unsuspecting employees. They can receive an "URGENT!" message appearing to be from another employee or legitimate vendor, which contains a variety of requests and information. In many cases, the fraudster has infiltrated an email conversation to obtain an employee or vendor signature block to make it appear even more legitimate.

A well-managed business should continually provide employee training, implement partner background screenings and create financial checks and balances.  Fraudsters can gain the confidence of an employee by posing as a fellow employee (usually a CEO or CFO), a vendor, or business associate, and instruct the employee to divert money. The deception is often unnoticed until they are notified by the real recipient that payment has not been received.  Encourage your employees not to rely on email alone.  The best way to avoid being exploited is to verify the authenticity of requests to send money by talking into the CEO’s office or speaking to him or her directly on the phone. 

Utilize these tips from the Federal Bureau of Investigation and Trend Micro to safeguard your practice against business email attacks.