Security

Luckily - this hasn't happened to us, but it happens in our community - in two ways.

• You pay an invoice to a recognized vendor.  They don't receive payment.  You discover that the invoice you received is a fake - and while it looks real, the banking information is to an unknown entity.  Not only are you out the money - but you also still have to pay your vendor because they never received payment.  
• You have a new member that has received a fake invoice that looks just like your own invoices - but with the wrong bank information. 

The first instance costs you money.

The second instance costs you your reputation - even though your organization didn't really do anything wrong.  

99% of this is a process / people issue.  Though good email reputation defenses should filter out the worst spoofing offenders.  How are orgs inoculating themselves against both of these threats?

Could it be a statement such as "We will never change our banking information without notifying you first" or as an internal process, require that all banking info changes must be validated by a person-to-person connection?

------------------------------
Adam Kuhn
Director, IT
Futures Industry Association
(202) 772-3002
akuhn@fia.org
------------------------------

Adam,

Great subject as there are so many hoaxes going around now.

IMHO, a rigid policy for financial information changes is mandatory.  I suggest at least these two things:  

1. Dual verification of any payment instruction changes, with one being through phone call where the assn initiates the call to a known number on file
2. An internal review/approval process that requires a second person to review and approve any such changes

I think with these two items in place, odds are much lower of any single individual being scammed.

------------------------------
Brian Scott
President / CTO / CISO
ClearTone Consulting LLC
Frederick MD
678-643-5593
------------------------------

Original Message:
Sent: Nov 13, 2024 11:56 AM
From: Adam Kuhn
Subject: Fake Invoice Scam - Are there best practices?

Luckily - this hasn't happened to us, but it happens in our community - in two ways.

• You pay an invoice to a recognized vendor.  They don't receive payment.  You discover that the invoice you received is a fake - and while it looks real, the banking information is to an unknown entity.  Not only are you out the money - but you also still have to pay your vendor because they never received payment.  
• You have a new member that has received a fake invoice that looks just like your own invoices - but with the wrong bank information. 

The first instance costs you money.

The second instance costs you your reputation - even though your organization didn't really do anything wrong.  

99% of this is a process / people issue.  Though good email reputation defenses should filter out the worst spoofing offenders.  How are orgs inoculating themselves against both of these threats?

Could it be a statement such as "We will never change our banking information without notifying you first" or as an internal process, require that all banking info changes must be validated by a person-to-person connection?

------------------------------
Adam Kuhn
Director, IT
Futures Industry Association
(202) 772-3002
akuhn@fia.org
------------------------------