Skip to main content

Cyber Deception Case Study – Spoofed Email

A practice received an email from one of the group’s physicians from their personal email address stating they had changed banks and asking to have their pay routed to the new bank. The payroll department replied by email with a form needed to make the change. The form was completed and returned by email.

Weeks later, the physician approached the practice administrator asking to investigate why he was not getting paid.

The spoofed email and falsified form requesting a change in the bank were discovered.

The money was unrecoverable – more than $30,000 dollars had been misdirected by the practice based on the spoofed email and falsified form.

Lessons Learned:

  • Money that was misdirected due to a spoofed email is rarely recoverable and will not be replaced by the banking institutions involved.

  • The practice had a policy that all bank routing changes needed to be in writing, however, that was not enough to prevent this cyber deception.

  • Organizations should have a process that includes verifying the request in a manner other than the way it was received. If the change is requested by email, it should be verified by phone or an in-person conversation prior to making the change.

Best Practices:

  •  Have a written Policy and Procedure on Verifying Requests for changes to EFTs

  1. Organizations should have a process that includes verifying the request in a manner other than the way it was received.

  2.  If the change is requested by email, it should be verified by phone or an in-person conversation prior to making the change.

  3. Document the verification

  4. If the request cannot be verified an employee should not make the change without discussing and obtaining approval from a senior staff person.

  • Educate workforce members on Recognizing and Avoiding Email Scams