ACH Phishing Emails – All Tricks, No Treats!

Here at Box Lake, our engineers have seen an increase in reports of targeted ACH Fraud phishing emails recently. Take a look at some real examples below and consider our tips for not falling victim to these convincing scams.

We have encountered two main types of ACH fraud emails:

Type 1: The criminals try to convince your business to change an account and routing number to pay the criminals instead of the correct recipient.

Type 2: The criminals try to gain access to your account and routing numbers in order to initiate a payment.

In both scenarios, the cybercriminals are hoping for a human error in order for their fraud attempt to be successful.  These scams do not require a data breach or ransomware attack, all they need to do is trick one person.

Examples

The example below is an example of Type 1. The cybercriminal poses as an internal user (who happens to be the CEO of the company) emailing a financial controller.  They have the name of the CEO correct, but the email address is wrong. In the email, the criminal posing as the CEO gives the financial controller specific instructions to pay the bill and set up ACH for the invoice. There are no obvious indicators that this is a phishing email other than the email address the message was sent from and the fact that the payment is fake.

In the digital age, it’s not difficult to find out the names and titles of people working for a company that has any sort of online presence. This criminal did their research to learn who to email and who the email should appear to be from.

The example email below is an example of Type 2.  This email looks pretty legit and indicates payment is ready to be paid to the email recipient. In this example, the scammer is hoping you provide payment details so they can take those credentials and initiate a fraudulent payment.

In this scenario, the recipient did not recognize this as a payment they should be receiving. They forwarded the email to Box Lake to confirm the fraud so we could add the sender to a blacklist.

Regardless of the cybersecurity and email filtering measures your business has in place, there is no real way to guarantee these targeted ACH Fraud emails will not find their way into your employee’s inboxes.  Employees should be trained on spotting a fake email and taught to always get confirmation before changing any payment information.

Contact Us

October is Cyber Security Awareness month and a great time to review the security measures your company has in place.  Box Lake offers free consultations and recommendations on what security should be implemented for your business and your budget. If you have questions about cybersecurity or a disaster recovery plan, please contact us.