Watch out for this common online fraud tactic to better protect your business

Stefan DeCosse

Stefan DeCosse

Vice President Information Security

Stefan joined Payworks in 2015 as a key member of the security team and has been instrumental in evolving our security practice, including the establishment of our Security Operations Centre from the ground up.
vice-président de la sécurité de l’information

Stefan a joint les rangs de Payworks en 2015 à titre de membre important de l’équipe responsable de la sécurité et joue un rôle clé dans l’élaboration des pratiques de sécurité, dont la création d’un centre d’opérations de la sécurité à partir de zéro.

According to a joint survey from the Canadian Federation for Independent Business (CFIB) and Mastercard, 72% of small business owners are more concerned than ever about cyberattacks on their business. Today’s reality is that ALL companies – regardless of size or industry – should be aware of how a cyberattack could affect their business. One of the best defences against social engineering tactics is awareness – for employees at your business to be familiar with what these fraudulent communications look like and what steps to take in evaluating whether or not a message is legitimate.

In the wake of the COVID-19 pandemic, digital communications are relied on more than ever to stay connected with staff and colleagues and conduct day-to-day operations. Some organizations have also shifted to permanent remote or hybrid work models, increasing the need for this form of connection. Cyber-criminals may look to exploit these situations, and the tactics used are growing to be more sophisticated; the fraudulent communications or requests often appear completely valid. If successful, these cyberattacks can result in financial losses for your business. Here’s one (of many, unfortunately) social engineering scams Canadian businesses should know about to protect themselves:

Banking information change requests: a common online fraud tactic

An employee requesting a change to their banking information might seem like a typical business-related communication to receive. However, cyber-criminals can masquerade as an employee in requesting changes to transit and account numbers. If your business completes this (fraudulent) request, the employee’s pay would instead be deposited into the criminal’s bank account.

Wondering how to prevent this from happening to your business? Making yourself and your employees aware of social engineering red flags is a great first step; encouraging staff to be vigilant and providing a simple way for them to report a suspected social engineering attempt or suspicious communication is another. If you or your staff receive a suspicious communication, one of the most actionable ways to be vigilant is to double check…

How to better protect yourself, your business and your employees

If you or an employee receive a “phishy” communication, always confirm the identity of the person making the request. This can be done in a number of ways:

  • Speak to the employee or sender in person
  • Phone the employee or the sender (telephone or video chat)
  • Open up a fresh email and send directly to the employee or sender using their verified email address

Especially when it comes to matters regarding a change to personal or banking information, taking the extra step to ensure it’s actually the employee making the request is recommended.

In all scenarios, replying to the original, potentially-fraudulent email is not recommended. Even if a reply doesn’t disclose confidential information that would cause financial loss to your business, engaging with cyber-criminals can still make you and your business vulnerable to other forms of social engineering. If you’ve received a fraudulent email, a safe course of action is to block the sender and delete the communication from your inbox.

It’s important to remember that neither the size nor location of your business make you any less vulnerable to cyberattacks. Cyber-criminals are trying to take advantage of any unsuspecting recipient, and they’re hoping the authenticity of the request doesn’t get verified before the change has been applied.

Our security and governance experts here at Payworks have developed lots of helpful resources for empowering Canadian businesses to better protect themselves. Find them by downloading a free copy of our Security Best Practices E-Book:

Seeing is believing!

Curious what better Canadian workforce management looks like in action (and how much time you could reclaim in your day-to-day)? Book a pressure-free, get-to-know you demo today.