One of Outdoor Industry Association's member companies was recently almost tricked out of $50,000 as part of a phishing scam.
But luckily, the company avoided the loss by working with its U.S. bank to reverse the international wire and is now warning the rest of the industry, according to OIA.
In light of the incident, the company instituted a policy to not allow any changes to existing banking information during a production cycle and without multi-step authentication.
How the criminals executed the scam
The impersonators somehow intercepted communication between the U.S. company and the China supplier. They registered a new address in Nigeria with one different letter. As an example, the correct email is email@example.com. The fake email was firstname.lastname@example.org, in which the "s" was removed.
They then emailed the production department impersonating the supplier and asking to change the remit to banking information. They answered the production department's criminal security questions—after creating another fake email account—and updated the invoice with fraudulent banking information.
The company then wired the $50,000 to the scammers.
Tips from OIA to avoid fraud
- Change any and all passwords to emails, servers, and any systems that require passwords, including cell phones.
- Be on high alert for any suspicious emails.
- Double check that any financially-related emails you receive have the correct domain address.
- Do not just click reply on an email requesting certain information or any financially related information or changes. Start a new thread using the email address stored in your address book.
- Do not forget to purge your email cache if you inadvertently replied to an incorrect/fraudulent email address.
- Warn your customers and suppliers of the scam.
- Advise everyone involved immediately if you find, receive, or are a victim of any scam communication.
- Investigate within your home country what security protocols you should be following to protect you and your customers.