Protect yourself from email fraud before it’s too late. Learn how with our top 5 tips.
Mark and his wife, Meghan, finished a backyard redesign, complete with an in-ground pool, pool house and all new landscaping. Done in time for the summer season, the couple were happy with how it all turned out—until they realized an email hack had created a financial headache for them.
The general contractor, after completing the work, had emailed the couple final invoices: one for his services and another for the landscaping subcontractor.
Mark made the two payments online. As he’d paid the general contractor 50% upfront, he’d saved the firm’s wire instructions: bank name, routing number and account number. He entered a new amount in his online bank account and hit send. But he’d never before done business with the landscaping subcontractor, so he entered the instructions he’d received in the general contractor’s email and hit send again.
Problem is the landscaping subcontractor never received this money. The instructions Mark had were incorrect. The landscaping subcontractor’s email had been hacked, and a spoofed email with a false invoice was sent to the general contractor, who passed it along to Mark.
In the end, Mark wound up paying the landscaping subcontractor’s rather expensive bill twice.
This scenario is all too common. According to the FBI,1 overall fraud losses in 2018 were $2.7 billion, and of that, $1.3 billion was due to email compromise similar to the email spoofing and hack that Mark and his contractors experienced.
But such fraud may be prevented. The general contractor and Mark should have called the landscaping subcontractor to confirm the instructions. Meanwhile, the landscaping subcontractor needed to have stronger user IDs, passwords and anti-virus software. These are some of the good cyber habits that we all can adopt.
What is an email hack?
Cybercriminals can get access to victims’ emails through malware, website breaches and phishing scams. Often it can be as simple as their guessing or stealing usernames and passwords to gain unauthorized access to the victims’ accounts. Once inside, they capture specific details on financial transactions to manipulate wire transfers of funds into their own accounts. When the opportunity arises, fraudsters send emails to commit payment fraud.
With Mark’s landscaping subcontractor, a fraudster had sat in the subcontractor’s email for weeks, reading correspondence and learning to emulate how the subcontractor’s firm interacted with clients and what its invoices looked like.
What is email spoofing?
Fraudsters mimic, or spoof, an email to trick individuals into believing the email received is from a known and trusted source. For example, @ipmorgan.com can appear similar to @jpmorgan.com, and email@example.com can appear similar to firstname.lastname@example.org.
What you can do to help prevent email fraud:
1. Protect yourself from an email hack.
- Use strong user names and passwords.
- Keep information in a secure place.
- Install and use anti-virus software.
2. Double-check your sources.
- A request may seem genuine because the email seems to be coming from a known email address. But slow down and examine the email closely to ensure it truly is the correct email address.
- Confirm the identity of the requester via an alternate method; for example, through verbal confirmation.
3. Learn how to spot fake emails.
- Look for bad grammar, spelling errors and poor sentence structure.
- Keep an eye out for changes to a sender’s format, font and salutation.
- Note if the sender is trying to create a sense of urgency to pressure you to bypass controls (e.g., Payments must go out ASAP!).
- Pay extra attention during the danger times: More fraud occurs late in the day on Fridays and before holidays.
4. Verbally confirm financial details.
- Check banking details with the beneficiary before initiating any payment. Tell the individual after an invoice has been paid. Request verbal confirmation of the payment.
- Exercise additional caution when a person or business changes their standing wire instructions. Bank account numbers don’t change that often.
5. Beware of “callbacks.”
- Think twice before complying even when individuals are requesting callbacks for seemingly legitimate reasons.
- Avoid callbacks to unknown numbers.
We can help
If you believe that you or your business has been a victim of email fraud, contact your J.P. Morgan representative immediately. Also be sure to speak with your representative to learn more about our cybersecurity and fraud awareness programs, or to schedule an information session with our professionals.
1 Federal Bureau of Investigation Internet Crime Report 2018.