As mortgage industry companies are putting a greater emphasis on technology and the Internet today to create a more successful business, executives across the country need to be aware of tactics that cybercriminals are using to hack into computer systems in order to access financial accounts and other high-level proprietary information.
According to Internet security expert Stu Sjouwerman, the founder and CEO of Clearwater, Fla.-based KnowBe4 which provides Internet security awareness training to businesses, there are several common spear-phishing scams targeting company executives and employees nationwide that pose a significant threat to data security.
“While many cybercriminals will send mass emails to a large number of users, others have fine-tuned their approach and are using highly targeted spear-phishing tactics to go after executives with access to company bank accounts and internal databases,” Sjouwerman said. “These scammers do their research and spend time customizing their spear-phishing emails. As a result, many recipients are fooled by the level of detail and authentic-looking messages and websites.”
In the scam known as the “Better Business Bureau complaint,” Sjouwerman said executives receive a fraudulent email that features letterhead from the Better Business Bureau, therefore making this seem like a legitimate mailing. The message then consists of either a complaint that a customer supposedly filed or claims that the company has been accused of identity theft.
The email provides a complaint ID number in which the recipient can click on if they wish to contest or respond to this claim. However, once the link is clicked, malware is downloaded into the businesses system.
A second scam Sjouwerman sees happening today is called a layoff notice. This phishing tactic takes advantage of the current economic conditions by targeting employees who may be fearful of losing their jobs.
This scam begins with a bogus email from the company CEO or human resources department informing employees that they have been laid off, but are eligible for severance and unemployment benefits. Employees are asked to register for their severance pay by going to a website that looks similar to the company’s homepagee and enter their name and Social Security number to log in.
Meanwhile, the website then triggers a malware download to the user’s system. If the individual entered any personal details, they are therefore immediately at risk for identity theft.
“While savvy Internet users realize they should not click links or download attachments from unknown senders, spoofed emails and official-looking websites trick recipients into letting their guard down,” Sjouwerman added. “When executives and employees receive time-sensitive emails that appear to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on and why they’re willing to invest the time to create realistic-looking messages from familiar sources.”
“This ongoing threat emphasizes the importance of user awareness and education,” Sjouwerman continued. “By implementing companywide Internet security awareness training, enterprises can ensure their executives and staff know what to watch out for and how to avoid falling prey to spear-phishing attacks.”
Ann Fulmer, vice president of business relations at Interthinx, said it is important for mortgage industry companies to be more proactive rather than reactive in order to prevent fraud activity.
“We don’t think ahead like the criminals do,” Fulmer said. “Every time we put up a barrier or change a process or data requirement, people are staying up at night thinking how they can get into the system and around that barrier. Fraudsters are just so clever today.”
Because of scams like these, a survey from the Association of Certified Fraud Examiners found that businesses lose approximately 5% of their annual revenues to occupational fraud each year. Occupational fraud is a scheme where an individual uses their job for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.
According to the ACFE, if this figure were applied to the estimated 2011 Gross World Product, projected losses would exceed $3.5 trillion.
In the ACFE survey titled “2012 Report to the Nations on Occupational Fraud & Abuse,” banking and financial services accounted for 16.7% of the 1,388 fraud cases reported, the most of any industry. Meanwhile, real estate fraud consisted of 2% of the overall cases.
Specifically, small businesses are particularly vulnerable to fraud, ACFE found, mainly because these organizations have fewer resources than their larger counterparts, which often translates to fewer and less-effective anti-fraud controls. Managers and owners of small businesses should focus on fraud prevention by setting up hotlines, employee education and setting a proper ethical tone within the organization, ACFE recommends.
The Austin, Texas-bases anti-fraud organization found that perpetrators with higher levels of authority tend to cause much larger losses, as the median loss among frauds committed by owners/executives was $573,000, while managers and employees caused losses of $180,000 and $60,000, respectively.
“Targeted fraud awareness training for employees and managers is a critical component of a well-rounded program for preventing and detecting fraud,” ACFE said in the report. “Not only are employee tips the most common way occupational fraud is detected, but our research shows organizations that have anti-fraud training programs for employees, managers and executives experience lower losses and shorter frauds than organizations without such programs in place.”
