Key Talks Fraud^SM

- Hello, welcome to Key Talks Fraud℠ podcast. I'm Kolt.

- And I'm Stacie.

- We've launched this new series to help our audience stay current on the continually evolving and increasingly sophisticated fraud scene. In each episode, we'll bring on subject matter experts to discuss a new fraud topic or emerging threat to help listeners like you be aware of trending scams, the red flags to watch for, and measures you can take to help protect your business's data and financial accounts.

- Thank you for joining us today. Let’s get started. So, Stacie business e-mail compromise and payment diversion are things that we're seeing with our small business and commercial clients. Let's talk a little bit about that. What is business e-mail compromise and payment diversion?

- Business email compromise is really where a third-party bad actor, either intercepts a conversation you're already having through e-mail, or they also initiate a conversation through e-mail and in that conversation, they're impersonating the other vendor, the executive, your customer, whoever it might be, they're impersonating them and they're going to direct you to make payments to an alternate bank account, right? They're going to have some really good story. But in the end, all they're trying to do is play on your trust in that communication. (move the next sentence here so it is attached to this paragraph)And get you to redirect your funds to a fraudulent bank account.

- So we kind of talked about the increasingly and involving fraud scheme, so I think before we used to tell clients that one of the things that you would hear is like the standard processes. Look for any kind of like misspelling and at the business name you're going to see these types of things, or look for grammatical errors inside of the emails, and I think what we've started to see recently is that's not really the red flags that you're going to see anymore. They're really hard to spot. So when you talk about business e-mail compromise, it's not impersonation anymore. They've actually got control of your vendor's e-mail sometimes through exposed passwords and things like that, so I know we've seen this in the past, but just want to talk through that piece where how can somebody possibly have my vendor’s e-mail under their control and they're not aware of it, like would they get my emails? Would they see that?

- Yeah. So oftentimes what happens if they've really taken over the e-mail system at your, for instance, your vendors office, they redirect the emails to folders so they do everything they can to hide that conversation to ensure that you know their scheme is not interrupted. So I know you think if this was truly, you know, the actual intended recipient of the e-mail conversation, they'd be able to engage. But they're so good about hiding that communication that this could go on for weeks and you would have no idea.

- So those same rules that I'm using in outlook to get certain emails out of my inbox, so I don’t have to look at them, they're using to get the correspondence with the victim or the target out of the inbox of whoever’s e-mail is compromised.

- Absolutely. That's exactly it.

- That really makes it hard to spot. So let's talk through some things. If I'm a small business and I get an e-mail and typically comes and talks some of the scams that they use here and they're very convincing, hey, we had our checking accounts hacked. We've got new accounts at a new bank. We need you to send new payment or payment information now to this bank. If I get that email, this should be a red flag, but it's not for a lot of people because in the world of fraud, checking accounts are getting hacked all the time, right? And by the way, if you write checks, your account numbers on the bottom. So, we try to tell people stop writing checks because you're exposing that. So, I feel obligated to get that in on the podcast as a public service announcement.

- Yeah.

- So whenever I get that e-mail and it's for somebody that I've been doing correspondence with for years. What should I do?

- I think the first thing that you should do is from just a in that moment, is pick up the phone and call the person that has initiated that request, but call them at a trusted phone number, right? So don't call the number in the e-mail. Look it up, Google it, you know, go through, you know previous contracts that you signed where there's a phone number on it but don't use the number in the e-mail, but pick up the phone, call them and verify the legitimacy of those payment instructions that you received.

- OK, so I'm just playing this like every day I get e-mail correspondences from you. What's going to be the red flag here or is it just there's not red flags like you need to have this in your procedures and your policies that you're going to do this every single time.

- Well, yeah, it's got to be a part of your policy in your firm. But when you receive, you're going to get lots of emails. But when you receive the e-mail that says please redirect payments, that's like bells and whistles should be going off in your head. I got to confirm this, but I think you're looking for sense of urgency, right? Things that you know, oftentimes you know we, I know we've talked about it. You don't see it as much anymore, but you still see the executive impersonation schemes and in those, it's going to be it's playing on that feeling of that person is well respected. They're saying it's urgent. It's top secret. You know those kinds of clues that they're just trying to get you to just react and not think, just respond. So you need to stop. Think. And pick up the phone. But I agree with you, Kolt. You said put it in your policy. Your policy needs to be that you have dual control that you have two people. You got a maker and a checker in your electronic payments flow and you need to make sure that one of those people both should be accountable. But at least one of those people part of their accountabilities and their work, in their job description is ensuring that they know the source of the payment requests like that. It's legitimate that there's been some due diligence done. Sounds like a lot, but I promise you will be targeted and to not fall victim to this is a huge win.

- You know, I think your comment there, it's not a matter of if this is going to happen to you. It's going to be a matter of when something like this might happen to your business. Whenever  we think about this from a protection standpoint, more than likely, if I'm the sender, I'm not going to know that I was a victim of that fraud until my vendor, who's nice, I've always paid on time, so they're not going to hit me up after 30 days or probably not going to hit me up after 60, but probably about day 90. They're going to be like, hey, we still haven't received payment on that invoice yet and I'm going to look and say, no, no, I actually I did. What is my recourse if I find out 60 or 90 days later?

- If the money went out the door through wire transfer or ACH, there really is not a lot you can ask for the funds back. You can, you know, send recalls out to the other institution. But quite honestly, you've got about a 24-hour window, probably less to realize that the fraud, the fraudulent, the scam has occurred. And reach out to your financial institution to say I need to get that money back, right, because. Quite frankly, the onus is on you as the sender to make sure that those payment instructions are valid before you sit down in front of the computer and send out those funds. So time is of the essence. If there's any chance of recovery, it's probably going to happen the first day.

- Yeah, those recovery efforts even on day 1 are low. I mean, we're dealing with professional fraudsters, bad actors that whenever that money lands, they know how the games played and they need to start getting that money out and moving it around or dispersing it. So I think that's a really good comment. We talked about fraud like prevention, detection, resolution and really on this type of scenario, it's the prevention piece, and sometimes those large dollar invoices that are coming in or payments. I know that there was one couple of years ago and at another FI that I was at that there was a million and a half dollars for breaking ground on a new organization’s facility and it went to the wrong place and that was very difficult to get back to. Actually it wasn't a full recovery. So there was some definite impacts there for that business. Hey Stacie, we’re wrapping up. Is there anything else that comes to top of mind that we're seeing in the consumer or small business from the scam or trend perspective that we'd like our audience to be aware of?

- What we're seeing is our commercial small business clients being impacted by what we refer to as the bank impostor scam. It's really just someone impersonating your bank. So let's say it's KeyBank and they call and say this is KeyBank’s fraud department. This is I'm a KeyBank banker, they reach out and the entire the purpose of the conversation is to convince you that you've been victimized by fraud and that they need to verify you and in order to verify you, they are going to ask you for some very sensitive information. The key here is don't give out that sensitive information, right? Never release your user ID. Never give out your password. You know, never give out your pin number. Right. So just make sure that if somebody reaches out to you, you hold those things close to the vest. I also recommend oftentimes, if you're uncomfortable, just hang up the phone and call the bank directly using the number on, you know the website or on the back of your debit card because I think that's really a safe way to ensure you're speaking to the bank.

- So as you talk about social engineering, I just want to bring this one up because we have heard about this in the industry where the fraudsters are pretty slick. Whenever you say, hey, I'll just hang up and call. And that they have a play that says, well, totally agree with you, you should absolutely do that and they will talk you into doing that exact same thing and say but before we let you go, let me just check to see what the hold times are. So if you want to call back in you understand what you're going to be into and they tell the caller that the hold times are 45 minutes to an hour and that starts to get you into another mental state. Like, not only am I being victimized by fraud, and they have a sense of urgency here, I'm going to be sitting on hold waiting for this I probably don't want to do that and all the good judgment goes out the window. and they start having that conversation with the bad actor, who's very scripted to be able to understand bank protocols and sound very convincing. So I just put that out there is, like, stick to your guns whenever it's these scenarios. And again the payment fraud is a good one every time every time I get a new one. I'm going to do it. It's not. Hey, I know Stacie. We talk all the time. It's every time and every time you get something, somebody's calling you and saying they’re from the bank. Hang up. Call. We want your call. And just as we go out the last one, I just want to highlight is shortcodes. So can you talk about, like, text messages that are actually coming from the legitimate like financial institutions? How those should look from a shortcode perspective and what that is?

- I got one the other day. That was from a. It was a text message through e-mail and the e-mail address was, you know, just absolute garbage jargon. But when it comes to, messages from a bank. Theirs are going to come in the form of a short code, right? So that's going to be like a 5 digit number or a three digit number with a dash and a couple of other numbers. It's not going to come from an area code and a regular phone number. It's not going to come from a foreign phone number that says Portugal on the top right. Anything like that. So know that your message, any message from your bank is going to come in the form of a short code and so when you get these text messages, do not think that you're going to lose your license because you didn't pay a toll, right? Don't think that. You know that if it's coming from a phone number that is in a short code, I definitely would delete it, report it as junk or spam on your phone itself, but also in those circumstances you can just hang up and, you know, close your phone and call the bank and reach out to us if you have any concerns about the transactions that were presented to you in that text stream, these guys are just savvy and they know how to hit you, they know how to make you worry they know how to make you panic, so the best thing to do is just take a deep breath. And pick up the phone and call the bank directly. That's the best advice I can give.

- We really appreciate your time today. That's going to be all for today's episode. We hope you found the discussion on business e-mail compromise and payment diversion and bank impersonation scams, informative. Additional information we found at key.com/business fraud. If you're a KeyBank client, and you think you may have been a victim of fraud, contact the KeyBank Fraud Client Service Center at 1-800-433-0124 for those that use a TTY or TRS, please dial 711.

- So don't forget to subscribe to Key Talks Fraud℠ for more insights on cyber security and business protection, as a reminder, this content is for informational purposes only. It's not financial, legal, or investment advice for guidance specific to your situation, please contact a qualified professional. Thank you all.

The information and recommendations contained here have been compiled from sources believed to be reliable based on current information and conditions and are subject to change. KeyBank assumes no duty to update any information in the material in the event that such information changes. KeyBank does not represent or warrant its accuracy, reliability, or completeness or accept any liability for any loss or damage (whether direct or indirect) arising out of the use of all or part of this material. This material is provided as general information only; particular situations may require additional information or actions. Nothing in material shall be regarded as an offer, solicitation, recommendation or advice (whether financial, accounting, legal, tax or other) given by KeyBank and/or its officers or employees or other presenters. If legal advice or other expert assistance is required, the services of a competent professional should be sought. KeyBank may collect information about attendees of this event, including name, company affiliation, email address, phone number, address, and in certain cases, IP address, as well as any other information you choose to provide us. We may combine such information with information we already have about you.

The information and recommendations contained here have been compiled from sources believed to be reliable based on current information and conditions and are subject to change. KeyBank assumes no duty to update any information in the material in the event that such information changes. KeyBank does not represent or warrant its accuracy, reliability, or completeness or accept any liability for any loss or damage (whether direct or indirect) arising out of the use of all or part of this material. This material is provided as general information only; particular situations may require additional information or actions. Nothing in material shall be regarded as an offer, solicitation, recommendation or advice (whether financial, accounting, legal, tax or other) given by KeyBank and/or its officers or employees or other presenters. If legal advice or other expert assistance is required, the services of a competent professional should be sought.