Recently, an employee of one of the Window & Door Dealers Alliance member companies received the following email message:
Hi. I would like to know if you have 59.5 in. x 47.5 in. Right-Hand Sliding Low-E Argon Glass Vinyl Windows In Stock ?If Not Can It be Ordered ? I will like to know the price and will make payment with my Credit Card.Please advise so we can proceed.Have a nice day. Regards, Edward Wilson
After some back and forth, the employee became wary of the transaction, and requested either cash payment or a detailed credit card authorization form to be completed in full. The scammer approved the price and asked the employee to make sure he includes the freight charges with the estimate.
Hello, I am okay with the total cost which is $9,442.05 and i would like to proceed with my payment. In the mean time i want you to contact the freight company that will do the pickup from the location to its delivery point which is to my Worker in Guadeloupe, so i can get the freight cost
I will get back to you with my detailed credit card information as soon as i get the freight cost, so that you can put the total charges through and then proceed with the order. I am very busy at the moment but will give you a call later after confirming the freight cost for me.
I hope to hear from you as soon as you get the freight charges from Fast Line Shipping Limited.
This was the final red flag for the employee: the member company pays freight upfront and directly. Knowing this stopped the employee from pursuing the transaction further and kept the company safe from financial loss. The employee Googled the email address the scammer gave for the freight company (Fast Line Shipping), and the first result was a blog post on this same situation from 2014, published by Glass Magazine, Window & Door's sister publication.
According to a myriad of stories on this topic, if the employee hadn’t stopped the transaction, and the member company paid the delivery company, the scammer’s check or money order wouldn’t have gone through, leaving the business without the thousands of dollars of delivery costs and with wasted product.
This story is certainly not the first of its kind. But it does present an excellent reminder to revisit IT protocol and train employees on best practices for email and internet security. The best—and seemingly only—way to beat a scam is to stop it before it happens. Know scammer tactics. Know the red flags.
Scammer Tactics and Red Flags
-
The emails often come from a Gmail, Yahoo or similar free e-mail account, which are more susceptible to being hacked.
-
The email exchanges are often littered with misspellings and poor grammar.
-
The customer wants to pay for the product with a credit card and wants to ship the order a long distance, often to another country. The purchasing credit card is usually stolen.
-
Scammers usually place an order for products they could easily get from a local shop, and the credit card billing address doesn't match the shipping address.
-
The customer says they want to use their preferred shipping company to transport the product. The customer asks the business to pay the delivery company directly.
-
Spam transaction emails often include requests for secrecy or pressure to take action quickly.
Potential victims of web-based cyber security breaches include any business connected to the internet. Getting hacked is a real threat to businesses of any size—and in any industry—and the results are costly.
Safeguards and Protocols
To safeguard your company and employees, consider the following takeaways when updating your IT protocol.
-
Know the habits of your customers, including the reason, detail and amount of payments. Beware of any significant changes.
-
Verify changes in vendor payment location and confirm requests for transfer of funds.
-
Be careful when posting financial and personnel information to social media and company websites.
-
Consider financial security procedures that include a two-step verification process for wire transfer payments.
-
Create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same. For example, .co instead of .com.
-
Register all Internet domains that are slightly different than the actual company domain.
-
Define key responders and establish lines of communication in the event of a breach.
-
Ready and train employees. All personnel should receive training on password security, email attachments and spotting malicious emails.