“Dear CFO, I need you to wire $40k to my XYZ bank account. See wiring instructions below. Sincerely, [Business Owner].”
While this may look like an obvious scam, imagine you’re the CFO and you receive this email, complete with the right email address and signature from your CFO (owner/CEO/boss). Do you think to question it?
Fortunately for this company, the CFO got side-tracked, walked by the business owner’s office, realized he hadn’t sent the wire transfer yet, and apologized for the delay. Had the CFO immediately sent it, the company would have been out $40k to a scammer who had phished the business owner’s information.
Severity of Phishing Scams
Scams happen every day to individuals of all ages and occupations. In 2018 alone, the Federal Trade Commission (FTC) received reports of more than $1.48 billion lost from fraud – an increase of more than 38% from 2017. Of these scams, wire transfers accounted for $423 million, the most of any other payment reported. (Source: consumer.ftc.gov)
But scammers target more than coworkers and find other modes of payment besides wire transfers.
When an official-looking email arrived in a payroll outsourcing rep’s inbox from a client company’s CEO requesting a change to their direct deposit account, the rep believed it to be authentic. After all, the email explained, the CEO was traveling, and the service rep could do this much faster with a good internet connection and was expected to take care of the client. With a couple of clicks, the rep could easily make the CEO's change request – and the email had all the right information to verify this was truly the CEO.
Unfortunately, the service rep learned the hard way that the "CEO's" email address was a spoof of the company’s legitimate, real CEO. Somehow, the scammer had not only hacked the CEO’s personal information but had also learned when the CEO was traveling. Then they went a step further and played an emotional card with the payroll company by pushing for this “expected level of customer service.”
This leads to the question: how do companies protect themselves from scammers who are able to access so many details?
3 Steps to Protect Your Company from Phishing Scams
Phishing scams can be done via phone, text, email, or any other form of communication. While some scams are easily detected, others can be convincingly persuasive by playing on your emotions. How do companies protect their assets and employees from an internal or external scam?
Share these 10 tips with your employees on how to avoid fraud.
Protecting their personal information will help protect your company from an imposter posing as an employee.
Conduct an independent audit each year.
This will help ensure your systems and controls are secure.
Provide a secure portal that is password protected.
Employees and clients (where applicable) must be able to securely make their own data changes.
How Stratus HR Protects Client Data
Stratus HR has an independent verification and audit done each year to maintain its SOC 1 Type 2 certification. While this elective step isn’t required by the PEO industry, it provides clients with peace of mind that their information is protected with the highest degree of data security. (Not sure what a SOC 1 audit is? Learn here.)
To ensure data entries are authentic, Stratus HR provides custom-built software and an employee app that enable clients and employees to securely log in and make changes themselves. This prevents service reps from having to decipher whether a fax, text, email or phone call are truly authentic, and the software has built-in security features to ensure any changes made are authorized and are not transmitted in an unsecure portal.
For more information about security measures or what you can do to avoid a phishing scam, please contact your certified Stratus HR expert. Not a current Stratus client? Book a consultation and our team will be in touch with you shortly!