In February, the Boston Herald reported that the town of Tewksbury had lost $100,000 in a phishing scam.
According to the Herald, the Tewksbury town manager said an employee had received a seemingly-legitimate email from a regular vendor seeking payment via wire transfer.
Apparently the payment request was not red-flagged as “unusual” because Tewksbury does pay some vendors via wire transfer.
Unfortunately, Tewksbury officials discovered quickly – but too late! – that this time the email was spoofed to appear to come from the vendor.
A sad story and that’s exactly how these scams go all too often. A wire transfer request email looks legitimate but it’s not.
About the same time, phishing scammers targeted youth hockey programs around the state, including Canton Youth Hockey.
As it so happens, I am currently the President of Canton Youth Hockey. One afternoon the members of my Board received an oddly-worded email that was supposedly from me. The email said I had a “request” I needed them to “handle discreetly.” They were instructed not to call but to reply to the email.
It was all a spoof! While the “From” address seemed to be from me, the “Reply To” address was a completely different anonymous Gmail address.
Luckily in this case, several members of the Canton Youth Hockey Board thought the email sounded fishy, so they called me before responding to the email in any way. I was able to confirm that the email was not from me and we immediately reached out to the other members of the Board to alert them.
In the cases of these two scams, the thieves used familiarity to make the victims feel comfortable to respond without confirming (Tewksbury) or feel like they were helping a colleague/friend (Youth Hockey).
Business banking customers absolutely need to have strong internal wire transfer procedures in place with multiple-factor confirmation and authentication to be sure a wire transfer request is genuine.
If you’re not sure what that needs to include for your business, talk to your bank, your CPA or an independent computer security specialist.
(It’s not clear why Tewksbury did not have a strong verification procedure in place. Presumably they will have one going forward.)
Phishing scams are increasingly targeting local groups and individuals as well. You have to be prepared to recognize messages that sound “off” and be ready to handle all incoming messages – email, phone, text – in ways that will keep you from becoming a victim.
In the case of the Canton Youth Hockey scam attempt, the people involved had a healthy skepticism. They did not respond to the email immediately and – most important – they did not follow the instructions for “secrecy” in the email. They reached out on a completely different channel – by phone – and spoke to the supposed sender to confirm/verify. Exactly right!
Any message that involves secrecy is probably a scam. Any request or demand for gift cards is 100% guaranteed to be a scam. Take it slow if you get such a message. Take it easy, no matter how alarming a message seems to be. Show the message to other people you can trust to stay calm. Feel free to call your bank or just call the police.
Your phone is a powerful tool that you can use to protect yourself by reaching out to people who can help you determine what you’re dealing with. If it’s a “fishy” message, chances are very good that it’s a scam.
Nick Maffeo is the President & CEO of Canton Co-operative Bank – right next to the Post Office – in Canton. Have a question? Email to firstname.lastname@example.org.