Continuing to use email and public file-sharing applications to share and exchange sensitive information invites unnecessary risk of cyber-fraud and data loss.
Email has long been the first-choice tool of cyber-criminals, but as anti-malware tools and scanning for malicious attachments becomes more sophisticated so fraudsters become more skilled in evading detection.
Business Email Compromise
Business Email Compromise has become a worldwide industry – with $5.3 billion stolen between October 2013 and December 2016 (compared to $1 billion stolen through ransomware in 2016).
In a Business Email Compromise attack the fraudster will often pose as either a client or a senior official within the organisation that they are targeting, using social engineering to add unique details to add legitimacy to their request. They will send an email appearing to be from a director within the firm or a client, requesting urgent payment of an invoice or requesting payment is sent to an alternative bank account. The money then ends up in the bank account of the fraudster.
Friday Afternoon Fraud and Invoice Hijacking
Where the fraudster can identify a legitimate transaction taking place, their task becomes easier.
In residential property transactions this has become known as ‘Friday Afternoon Fraud’ because the fraudster uses the time pressure of the end of the week to create urgency for the payment to be made. In the UK there are typically 4 losses every week – with an average loss of £70,000 and email is the primary tool.
With invoice fraud the criminal either creates dummy invoices from an existing supplier – looking very like the real thing – or follows-up on existing invoices with a change of bank details. Emails that look like they are from the original sender or the supplier’s company are easy to believe and the nature of Accounts Payable processes mean that the fraud is not detected until long after the payment is made.
How VaultConnect removes the risk
By creating a secure environment for sharing and exchanging information, VaultConnect removes the fraudster’s access to the email exchange. It is also possible to lock down the bank details where payment should be made – ensuring that only the intended recipient can provide details.
A shared area for information exchange also creates the foundation for a secure process. If business rules dictate that payments are only made to bank details that are within a secure Vault, then even if somebody poses as the other party in the transaction by email then both parties know that the correct information is in the Vault.
As the Vault is accessible from any device on any modern browser, it also ensures that somebody posing as the CEO or Financial Director can be referred back to the Vault to update details. There is no reason why they should be requesting payments by other means.