Rental operation learns hard lessons from cybersecurity incident
by Connie Lannan
Editor’s note: Because of the sensitivity of the subject matter, the name of the business involved and its location have been left out of this story.
It all started in late October following the rental company’s transition of its day-to-day accounting functions several months earlier from the longtime chief financial officer (CFO) to a trusted employee who had been with the company for many years. One day an email from what appeared to be the company president arrived in that employee’s inbox. The email requested that funds be sent to a vendor named LinkedIn Corp. for consulting fees. The request was of an urgent manner asking that payment be sent that day. Even though it requested funds be sent via Automated Clearing House (ACH), which was not normal practice for this company, the new accounting person called the bank and set up the transaction because the president had sent her emails in the past requesting payment to various vendors.
The first email was addressed to the accounting department of the rental operation and was copied to a woman named Lisa Hernandez. The new accountant’s name and actual business email address were included in her emailed response. The amount of this transfer request was less than $5,000.
During that same week, the new accountant received another email, supposedly from the company president, with a similar request. This request listed the new accountant’s actual name and email address. Lisa Hernandez was again copied on the emailed request. When the second request didn’t go through, the new accountant contacted Hernandez at LinkedIn Corp. via the information that was provided in the email. She asked why it didn’t go through and whether they still owed the money. She was then instructed to send the payment to a second bank account. After she received the updated bank account information, she proceeded to contact the company’s bank to set up the transaction so they could send the payment.
After that, two more emails arrived. Each time she called her bank to set up an ACH to pay this vendor. As of this juncture, nearly $20,000 had been sent to the vendor.
During this time, the new accountant was responding to whom she thought was the company president, informing him of what she was doing since it appeared he was sending her these payment requests via email.
Then the new accountant received another email for another ACH payment. This time it was for a different vendor, Cross Linkage Medical Supplies. The request was for the transfer of $48,570 for marketing research and strategy. Again the accountant contacted the rental company’s bank to set up the ACH payment and copied the president on what she was doing, using the address offered in the emailed request. The money was sent.
A few days later, she received yet another request. Again, it was from Cross Linkage Medical Supplies. This time the request was for $59,520. The new accountant contacted the rental company’s bank again to set up another ACH. The bank informed her that it could not continue to send payments this way. If the rental company wanted to continue sending payments via ACH, it would need to set up a different type of account with a $50 fee per month for the new account.
The new accountant emailed the CFO to ask her advice about setting up a new account. Shocked that she had just learned what had been going on for a few weeks, the CFO told the new accountant to not send any more money to anybody and requested the invoices be sent to her.
It’s all about staying alert, they say, and asking “does this make sense?”
The CFO saw the invoices and noticed that the ones for Cross Linkage Medical Supplies were for marketing research and strategy. The CFO thought this was strange and did not make any sense because the rental company did not do anything in the medical supplies field. And why, the CFO wondered, would a medical supply company be billing an event rental company for marketing research.
The new accountant contacted the bank right away and was able to stop that payment just minutes before the bank was about to make the transfer.
In the meantime, the CFO contacted the president of the company, who had no idea this was going on. He was not aware of any of the emails supposedly from him or to him. They contacted their bank to see whether they could track down the money and stop the other payments from going through, but it was too late.
The company president then contacted the FBI, filed a police report and contacted his ARA Insurance preferred agent to see whether there was any recourse. While this area is still under investigation, insurance investigators did contact the president, CFO and the new accountant to learn more details of what had happened.
As they dissected the incident, the rental company learned about valuable red flags to be aware of to prevent this from happening again, such as:
- The initial email invoice was addressed to the accounting department at the rental company and not to a specific person at the company. That was a classic phishing attempt.
- The company requesting payment, LinkedIn Corp., was not one the accountant was familiar with sending payments to in the past.
- The email address of LinkedIn Corp. was not in sync with the name of the company.
- All the requests for payments were urgent: They demanded the invoices be paid today.
- There were a few grammar mistakes in the email.
- The subject line wasn’t always appropriate for the content of the emails. For instance, when the accountant called after the second ACH payment didn’t go through, she received a follow-up email with the new banking account information, but the subject line was the same as the email that indicated the payment didn’t go through.
- The email for the president that was listed on the emails with payment requests and invoices wasn’t his regular email address.
- Even though there were request for payments from two, separate bogus companies that supposedly should have been unrelated, all the emails and invoices received by the rental company were very similar in format and content. Things you don’t normally see on an invoice were on all the invoices from both companies and in the same place.
- Between the emails, the invoices and bank account information, there were five different city locations.
The new accountant was devastated that she had been duped and had cost her company $70,000, which could have been around $130,000 if the last payment hadn’t been stopped. She and the entire rental operation have become extra-vigilant and wary.
The rental company now verifies with the president, CFO and accountant any payment to vendors they don’t have a history with. The rental company also has stopped paying any vendor via ACH as one of the insurance investigators said using ACH or PayPal can be more dangerous and more easily accessible to those who want to do harm.
The company also is following the advice of one of the FBI agents who suggested using a secret word in emails if payment is requested as a way to indicate this is a legitimate email from the company president.
It’s all about staying alert, they say, and asking “does this make sense?” Verify payment requests for unusual payment methods or amounts. Be aware of the red flags and, if in doubt, ask by making a phone call to the president or CFO.