Between 2013 and this year, global financial institutions have lost an estimated $12 billion to phishing scams.
Specifically, scams known as “business email compromise,” wherein cleverly disguised emails are sent to firms’ employees and demanding urgent wire transfers. Recently, a hacker collective known as London Blue put together a list of 35,000 chief financial officers from the world’s largest banks and mortgage companies and targeted them with money transfer scams.
Robert Capps vice president and authentication strategist for NuData Security, has seen his fair share of scams over a 25-year career and is on the frontlines of the battle against various, increasingly sophisticated, scams.
“I’ve got the scars to prove it,” he said. “What traditional organizations are doing day-to-day to protect against business email compromise is multifaceted: There’s consumer education, and employees are basically taught what business email compromise and phishing looks like. They’re taught not to click on attachments, don’t take emails from unknown addresses that ask for really short emergency calls to action.”
The protective measures have grown at least as, if not more, sophisticated than the scams. Email filters, which grow heuristically, black lists and artificial intelligence, which studies the messages’ contents, are now used to protect financial firms from scammers. Some companies have even “gamified” their fight, inducing employees with prizes to report suspected scams.
“They’re making compliance fun, and gamification has led to a lot of consumers and employees paying more attention to potential risks,” said Capps. “Folks within the corporate executive offices at mortgage brokerages, lenders and realty brokerages—anyone involved with the mortgage industry or facilitation of the buying and selling of real property—when they get instructions to take action, they can pick up the phone and call the person from within the company who supposedly sent the email and find out if it was really them.”
A hallmark of the scams is to ask the target to take immediate action, and Capps calls that the first red flag. Asked why more people don’t realize the blatantly bogus nature of the scams, he said:
“It preys on the human desire to want to help, and the human desire not be fired from your job. What happens is people will often take action on something because they believe it’s come from legitimate source and it [collectively] results in the loss of billions of dollars of the global economy. Before anyone realizes what’s happened, the money’s gone and it’s not coming back.”
James Laird, co-founder of Ratehub.ca and president of CanWise Financial, says the most significant way his companies prevent being swindled by these scams is by moving away from email servers.
“We recently launched the ability for clients to log in through an encrypted platform and upload documents on that platform without going through email,” he said. “I think that’s the way things are going. It means agents are opening fewer emails trying to figure out what’s real and what isn’t, and the same goes for clients.”
Capps notes that a lot of homebuying consumers are getting caught up in these scams, as well, and they need to be apprised of the risks. He also says a lot of these headaches can also be averted by a simple phone call to the sender if they’re from within the company.
“If somebody from within the corporation is sending the email, call them and make sure. Independent verification is the best practice no matter what.”