“Spear Phishing” Business Email Fraud on the Rise– August 13, 2015 by Mark Danczak

Receiving an email from your boss with instructions to “pay the attached invoice today via wire” is something most finance department professionals wouldn’t think twice about.But, a cybersecurity scheme gaining popularity and impact, known as business email fraud or “spear phishing,” is putting organizations at risk for costly fraud. Companies particularly at risk are those going through any type of CFO or controller transition. Sophisticated cyber attackers scan news wires and social media outlets to identify such transitions that make a company a more attractive target.

One of our firm’s clients was recently affected by spear phishing. In their case, cybercriminals sent an email “from the owner” instructing the controller to make a wire payment of $40,000 immediately. Unfortunately, since the email looked official (the email address was only off by a dash from the owner’s real email address), the payment was unknowingly made to the fraudster. Luckily for our client, they figured out what happened before the money was posted to the account at the other bank (which was in Alabama), and the money was fully recovered. A few more hours and those dollars would have been lost forever.

What is most interesting about this form of fraud is that unlike credit cards, which have virtually unlimited fraud protection, the only recourse in this scheme is to file a police report and chalk it up to a costly lesson learned.

Being aware of the potential risk is a big step to prevention. Take the extra time to verify and make sure you have good internal controls in place and that your team follows them to the letter, especially regarding wire or ACH transactions.

A recent Wall Street Journal article (Hackers Trick Email Systems Into Wiring Them Large Sums) describes the scam in more detail. Talk with your advisors about controls or ways to mitigate your company’s risk of becoming a victim.


Cohen & Company is not rendering legal, accounting or other professional advice. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts and circumstances.