No, really, it is not you when your CFO gets an email from you asking to do a last minute wire transfer. Or one of your customers gets an email to change the account number they normally wire payments to. Or your accountant gets an email to send you a copy of your tax return to your personal email address.
The unfortunate fact is that anyone can put anything they want in the “From” address of an email. And the Bad Guys are on a campaign taking advantage of this right now before most people and companies realize their vulnerability. It has paid off, according to the FBI, to the tune of $2.3 billion over the past 36 months, and last year was a 271% increase over the year before. Mattel wired $3m to a fake joint venture partner the "CEO" was negotiating with. Ubiquiti was taken for $46.7m, Scoular for $17.2m. And many, many others.
Some call it phishing, some spear-phishing, but the common thread is an email masquerading as from an exec or GP in your firm, always urgent, often late in the afternoon, and always targeting finance team members by name.
These frauds are real, very hard to spot, and San Francisco/Silicon Valley, and particularly our Venture Capital clients, are in the cross-hairs of many Bad People.
The unfortunate fact is that anyone can put anything they want in the "From" address of an email.
If you or someone on your team are in any kind of position to request any financial transaction in email (payment, deposit, capital call, distribution, even salary direct deposit) then please make sure you stress to the other parties that you will never request a change to your payment and account details in an email. Put a notice to that effect on your invoices and K-1s, and in all your outbound email communications. And establish a clear, multi-factor process to initiate or change any payment methods.
You can make it harder to become a target by removing email addresses from your website and from LinkedIn, but prepare your firm and your business ecosystem because at some point soon you will be attacked. Be ready, and, as always, call Hybridge if you have questions or if we can help.
If you are a Hybridge client, please let us know when you'd like to discuss this, and whether/when you'd like to discuss dual factor and other advanced security methods, if not already implemented.
As always, if you have any questions or feedback, please call us or email us at support at hybridge.com
