Salal’s Business Services team has recently seen an uptick in fraud incidents against our members, and the use of artificial intelligence and large language models such as ChatGPT are only accelerating the damage that cyber-criminals can do. One particularly prominent type of fraud we’re seeing is that of phishing scams.
Phishing is defined as the fraudulent practice of sending emails or other messages purporting to be from reputable persons or legitimate businesses, in order to induce individuals to reveal personal information or sensitive data, such as passwords and account numbers. These kinds of cybersecurity attacks involve malevolent individuals masquerading as trusted entities, in order to manipulate your staff into exposing your business to cybercrime.
In particular, cyber-criminals often utilize phishing to obtain your business’s account information in order to scam you out of funds via wire transfer, or notify businesses that their payment account information has changed and to send future payments to a new account. Always verify via a phone number you have on file for any vendors asking to change their account information to ensure the request is legitimate. Washington State’s Department of Financial Institutions has recently sent out a bulletin emphasizing the importance for credit unions to exercise a heightened level of security and due diligence in regard to processing wires, and we advise our business members to do the same.
There are several kinds of phishing attacks to be aware of:
- Email phishing: An email may be sent from a fake email address designed to look like a legitimate email address. For example, an email pretending to be from Amazon may use a similar email address such as email@example.com, or may substitute the letters “r n” instead of “m,” to read firstname.lastname@example.org, which is easily read as “.com.” These fraudulent emails often include malicious URLs and fake links that the sender hopes the receiver will click on, and they tend to be distributed widely, in hopes of catching someone off-guard.
- Spear phishing: These email attacks are more targeted and are usually addressed to a particular individual. They can be persuasive because they often include information about the targeted person, such as job title, place of employment, and even job duties.
- Whaling: As a form of spear phishing, whaling email attacks focus on executive management. Typical whaling emails pretend to be from a CEO or other leader, making a request of a staffer within the organization, and the fraudsters count on the staffer’s reticence to question the request from a higher-up.
- Smishing: This kind of phishing attack contains the same elements as email phishing, but instead arrives via text or SMS. These can include fake internet links or QR codes.
- Vishing: The “V” stands for voice, and these kinds of attacks arrive by telephone, also typically containing similar attempts at persuasion as do spear phishing or whaling emails.
- Angler phishing: These attacks utilize social media to persuade people to divulge information or download malware. Fake URLs, cloned websites, or instant messages are all common pathways. Scammers particularly aim to hijack social media comments on posts in order to compromise the commenters’ information.
Spam filters and other technological tools, such as multi-factor authentication and regular software updates, are important, but are often not enough. Everyone must remain vigilant against the deceptions involved in phishing attacks, and Salal is here to help.
Here are some key giveaways that indicate an email or other phishing attempt is fraudulent:
- The greeting is generic and no information about your actual account is included.
- The email threatens your account or offers you an unexpected refund.
- The email includes an invoice or coupon you don’t recognize or asks you to click on a link.
- The email asks you to confirm personal information.
Our Senior Business Banking Representative Brandon Wilson, who goes by “Wilson,” confirms that Salal is seeing numerous members targeted by email compromise. “If members ever receive a change in payment instructions for an existing vendor, they should contact that vendor through a previously established phone number,” Wilson said.
Several of our members have been targeted via their vendors, Wilson reports. “These vendors’ email addresses are first compromised,” he said, “and then the fraudsters send our members updated payment instructions to send wires and ACH to the fraudsters.”
For every transaction authorized by your business, always be sure that you know the person or business to whom you are sending money, as well as the purpose of the payment. When sending a wire, double- and triple-check the details, and when receiving funds, allow at least a week for funds to clear before agreeing to any refunds. If a refund is ever deemed to be due, avoid sending refunds via wire.
In addition, members should be cautious not only about the emails they receive, but also about the emails that they themselves send. “Members often send us emails with their account information in unsecured formats,” Wilson noted. “Instead, we just ask that they email us using the legal name of the business.” For fastest service, please include your legal business name in the Subject line of your email.
If you discover fraudulent account transactions related to phishing, or if you suspect any other fraudulent activity, please contact Business Services immediately at BusinessServices@SalalCU.org or 206-298-9398. Please be prepared to provide detailed information about the fraudulent transaction, and please note that the affected account will be frozen until remedies can be put into place. Salal will attempt to recover any lost funds, but each fraud case is different and funds recovery cannot be guaranteed. For additional assistance, you may wish to include local law enforcement in your fraud reporting.
Your Salal Business Services representative will outline your options and the required steps, which will typically include completion of paperwork via DocuSign, setting up Positive Pay fraud prevention service so that you can monitor check and ACH transactions, and/or closing the compromised account and opening a new account with a new account number.
Some of our members have had the pleasure of working with Ken Minoza, Business Services Support Specialist, who has recently helped several of our business members recover from fraud attacks. “I prioritize clear communication with our members regarding required documents, and prompt submissions, including police reports, of supporting documents regarding their claims,” Ken said. “A timely action minimizes the risk of further fraudulent activities.”
Ken notes that fraud is not just a one-time event, and that it must always remain a long-term concern. “I like to promote Salal’s fraud prevention tool, Positive Pay,” he said, “and encourage members to utilize it to effectively to minimize fraudulent activities moving forward.”
Please note: Salal is unable to leave compromised accounts open and unsecured, as this places the business and credit union at risk, and we understand that an account freeze is disruptive to your business, so we will work diligently in partnership with you to resolve all instances of fraud.
The U.S. Federal Trade Commission is also interested in catching fraudsters, and invites you to report all phishing attempts:
- Forward all phishing emails to the Anti-Phishing Working Group at email@example.com.
- Forward all phishing text messages to SPAM (7726).
- Report the phishing attempt to the FTC at ReportFraud.ftc.gov.
Additional guidance, resources, and reporting information is available on the Federal Bureau of Investigation’s cybercrimes website: https://www.ic3.gov/
You’re also welcome to read more about preventing fraud on the Salal website:
- SMS Fraud is on the Rise
- Protect Yourself from Credit Union Impersonation Scams
- Tips to Avoid Social Media Cyber Crime
Every transaction has the potential for fraud, so thank you for helping us protect you, and Salal Credit Union as a whole, against fraud!