You may have heard in the news that a small school district in central New Jersey has been scammed and defrauded out of $4.8 million. Contrary to what you may believe, this fraud, which targets school districts, municipalities and large businesses, rarely involves hacking or the compromising of sensitive information.

Instead, such scams are perpetrated by social engineering and spoofing – simply tricking large organizations into sending money by rerouting otherwise regularly scheduled payments to vendors. Fraudsters take on the personas of organizations to which funds are usually sent and contact their targets requesting that they change their usual method of payment for recurring invoices. They may claim to have recently switched banks, providing the sender with new wiring instructions to a new financial institution.

Such an email will look something like this:

Emails containing this new account and routing number will appear to be from that organization’s usual contact, but it is just a scam to trick large organizations into sending money. Their email address and signature will appear identical to what is typically used in email correspondence. Sometimes, these fraudsters manage to hijack these email accounts and other times there’s no need to. They create an email address nearly identical to the organization they try to impersonate, usually changing just a single character. For example, if the legitimate email address is [email protected], a fraudster might use [email protected]. This small change, coupled with an identical email signature would not prompt most to be skeptical of any request.

These fraudsters count on controllers not taking the time to scrutinize these requests and verify their legitimacy. As complicated as these scams may sound, they are almost always dismantled with just a single phone call. If you receive an email from a friend, family member, vendor, business contact, or any other trusted source informing you that they have recently changed their banking information, you should immediately contact the sender via phone using a trusted phone number. Remember that wire transfers are an instantaneous way of sending large amounts of funds, and once they are gone, they are almost never retrievable. The unfortunate school district in New Jersey has still yet to recover millions of dollars that they sent over the course of several weeks.

Another way to protect yourself from this scam is to ensure that you have a good relationship with vendors and those to whom you frequently send payment. We find too often that fraud goes unnoticed until vendors reach out to inform our customers that they never received payment. This prompts customers to go back into their records and find that checks cleared in other people’s names (after being intercepted and washed) or wires were rerouted at the request of fraudsters. When you pay a vendor, verify that they received your payment and make a note of it. NEVER change the account and routing number to which payments are being sent without written and verbal approval from the vendor requesting the change. By taking these precautions, you can protect yourself and your organization from falling victim to this scam and avoid being tricked into sending money.