Aaron Grayson: From Wells Fargo Treasury Management, this is True Stories of Fraud — real customer experiences to help you understand and deal with the gravity of fraud attacks on American business today.
I’m Aaron Grayson, your host for this investigative fraud series.
Aaron: What you are about to hear is a true story about a prestigious university in the east. We can’t tell you the name of the institution for privacy reasons, but it was recently ranked in the top 100 colleges in the country. So, not a small school.
The fraud attempt was not small either. Actually, that much I can tell you. It was $470,000. Almost half a million dollars. A big hit to any institution or company. Pretty scary.
The university has approved vendors, in this case a construction company it uses for large projects. That’s how fraud often happens, by trusting an entity you know.
Dana is an associate controller at the school. Been there awhile. She knows her job. One Friday in July, Dana got an email from the construction vendor requesting a change to the account number for an ACH payment. Dana remembers how the fraud unfolded. I spoke with her by phone.
Dana: When I came back from 4th of July, I got an email from a person at the company saying she was working on the 4th and she was going to be in trouble if they couldn’t get the account info changed very quickly.
Aaron: Then came a second email to Dana asking about changing the account number again. That action, that account change she made, was all these criminals needed. Done. Success.
Dana had felt uneasy about the whole exchange. She phoned the construction company to confirm the payment. They said they never made the request. It wasn’t them.
Dana: I was really distraught. We had been so careful to only set up valid accounts. I felt sick because this happened and we knew the risks.
Aaron: Dana immediately reached out to Wells Fargo hoping to stop the huge payment. Then she contacted the treasurer at the college, notified her managers, to be safe, she alerted campus police and stayed late into the night as they wrote up the police report.
Dana: I was about to leave on my summer vacation and gave Wells Fargo my contact info to let me know anything. I was worried sick we lost $470,000.
Aaron: Dana, you must have been overwhelmed.
Dana: Yeah, I was. Then we got a call from Wells Fargo and found out we were going to get all the money back. It was a huge relief.
Aaron: What we know is Fraudsters are very skilled at hacking emails. They know exactly who to target in your company — by name, by title. They send legitimate-looking messages. And once they have a scheme that pays, they work it like a job, moving down their targeted list, stealing.
I spoke with John Kolar, a fraud expert with Wells Fargo Treasury Management. He shared important procedures the University put into action to help protect against fraudulent email attacks.
John Kohlar: Well, I’ll tell you. The university now requires pulling a recent invoice paid to a vendor, then obtaining the contact phone information from their website — not from the email, because that could be faked. And verifying the vendor’s FIN number, or financial identification number. And asking the university to verify their bank account information that they have on file.
Aaron: So, a very thorough verification.
John: Yes. It has to be. Oh, and there was something else. The university added one last fraud protection procedure that not every company would think of — or even has.
Aaron: Was it like some new technology? A cybercriminal detection of some kind?
John: Heh. No. Far from that. All vendors now have to send ACH information to a strict, password-protected fax machine.
Aaron: Heh, heh.
John: Only a few people at the University can retrieve faxes from that machine. And it takes away from the favorite entry point for fraudsters — the phony emails.
Aaron: So, what did we learn? Fraudsters prey on the trust you have with vendors. They will falsely personalize their situation to make you, or a colleague, want to help them — like changing an account number. Oh, and I learned something I never expected. That sometimes the way to stop criminals in this digital age is to throw a wrench in the mix. And by wrench, I mean a trusty old fax machine.
Wells Fargo shares these true stories to give you insight into possible scams and the guidance to help protect your company from these serious threats of financial loss. Join me for more True stories of Fraud. I’m Aaron Grayson, thanks for listening, and stay vigilant.