There has been a substantial increase in Electronic Funds Transfers (EFT) fraud attacks in recent months, specifically by way of a method known as social engineering. Social Engineering is the psychological manipulation of people into performing actions or divulging confidential information. During the pandemic environment, in which much of our business is being conducted remotely, these Social Engineering acts of manipulating someone to “voluntarily” electronically send a perpetrator money are increasing in size and frequency. These EFT fraud attacks usually start with a phishing email or a phone call.
EFTs include Automated Clearing House (ACH) transactions, wire transfers, electronic checks, credit/debit card payments and payroll direct deposits. All these fund transfer methods are fast and generally safe to send and receive payments. The danger comes in the act of setting up and making changes to the bank account information for each of these.
- Beware if someone says they need to change the way they receive payments due to the current pandemic. Everyone has adapted to this pandemic and can still both issue and receive checks.
- Occasionally remind your vendors and staff that your Finance and HR departments will never ask for any financial or personal information via an email.
- Never reply to an email request to change banking information, even if it looks like it’s coming from someone inside your entity. Always call the requestor using your known contact information (not the contact information in the email).
- Implement a two-factor authentication process to approve any financial transaction changes by having a second staff person call to verify changes.
- Implement dual control when actually processing any EFT transaction by requiring that at least two people are involved in the process.
- Always perform a validation transfer (or test deposit) with a blind confirmation.
- Always require a signed Form W-9 from every new payee in advance of making any payments. Also require this if they are changing their mailing address. You can confirm this information online or directly with the IRS.
- Implement Positive Pay for both checks and ACH transactions, as well as placing an ACH Debit Block on your accounts.
ASCIP SECURITY ALERT:
No one from ASCIP will ever ask you to pay us via a wire or ACH transfer. ASCIP only accepts payments via check or LACOE account-to-account transfer.
If your Finance, HR and IT staff seem a bit cynical at times, there is good reason for this. They are the guardians of your entity’s financial resources. They take seriously the Russian proverb quoted often by President Ronald Reagan regarding a certain nuclear arms treaty…”Trust, but verify.”
ASCIP will be publishing a series of tips to help keep members’ financial operations safe. Watch for the next in our series, “What’s on the Cyber Menu – Spam or Phish?”