Money-Saving Strategies to Prevent Fraud with Kellie Spawton Artwork

Smart Tech Spending

Smart Tech Spending is a podcast designed to help growth-driven businesses and mission-driven nonprofits gauge the success of their technology investments and overcome the challenge of measuring their tech ROI. Hosted by Nicole Lefsky, cofounder and managing member of Jersey IT Group, each episode features an interview with an executive or thought leader discussing topics like: Are you spending too much or not enough when it comes to technology services? How to avoid unplanned tech expenses? What technology drives profitability? This show is ideal for business owners, managing partners, CFO's and office managers who oversee technology spending for their companies.

All Episodes

Smart Tech Spending

Money-Saving Strategies to Prevent Fraud with Kellie Spawton

April 02, 2024 • Nicole Lefsky - Jersey IT Group • Episode 6

Send us a text

In this episode of Smart Tech Spending, I’m joined by fraud prevention and investigation expert Kellie Spawton who explains the bank's role when scammers steal from businesses and how companies can work to prevent it.

What you’ll learn in this episode:
- Why an “It Won’t Happen to Me” mindset can lead to financial loss for a company

- How simply validating account change requests can stop businesses from losing money to hackers

- A real email scam that led to a $750,000 loss

- How quick reporting is essential when trying to recover money after a scam

- The importance of educating teams and ongoing security awareness training

About Kellie Spawton
Kellie has nearly 25 years of experience in banking operations and security. She holds a bachelor’s degree in organizational psychology and business administration and is a graduate of the Stonier Graduate School of Business and Wharton Leadership Program.

Resources
Connect with Kellie Spawton: https://www.linkedin.com/in/kellie-spawton-47563610/
FBI – Cyber Crime - https://www.fbi.gov/investigate/cyber

Connect with Nicole: https://www.linkedin.com/in/nicolelefsky
Contact Nicole: nicole@jerseyitgroup.com
About Smart Tech Spending: https://www.jerseyitgroup.com/podcast
About Jersey IT Group: https://www.jerseyitgroup.com

Thanks so much for listening!

If you enjoyed this episode, please take a moment to rate and review it on your favorite podcast player.

Don’t forget to subscribe to be updated when new episodes are available!

[00:00:00] Kellie Spawton: Timing is everything. The less time that passes between the time the wire is sent and the time the banks and law enforcement know about it, the better the chances are of a recovery. I have had situations where we've seen wires go out and I'm, I'm on the phone with the bank a half an hour later. And the money's already gone.

[00:00:19] Jersey IT Group: You're listening to Smart Tech Spending, a podcast designed to help businesses gauge the success of their technology investments. If you're looking to overcome the challenge of measuring the ROI of technology tools and services, avoid unplanned expenses and uncover hidden costs, you've come to the right place.

[00:00:40] Let's get into the episode.

[00:00:42] Nicole Lefsky: Welcome to Smart Tech Spending. I'm your host, Nicole Lefsky. With me today to discuss how common misunderstandings about the bank's role can lead to unforeseen expenses. When money is stolen by cyber criminals, we have here with us today, Kelly Spawton. Kelly is a fraud prevention and investigation expert.

[00:01:04] She has close to 25 years of experience in banking operations and security. And we are so happy to have her here today to discuss this wonderful yet scary topic.

[00:01:17] Kellie Spawton: Yes, thank you so much. It is. It is both. It's a very interesting topic, but it is deeply frightening for a lot of people and sometimes myself included with some of the investigations I've seen.

[00:01:27] Nicole Lefsky: Well, we definitely want to dive into what you're seeing. I know that in talking with business owners regularly, there's this underlying feeling of, "It won't happen to me." And you and I both know that on a regular basis, businesses of all sizes, not just the large ones we hear in the news are, you know, getting phished through email and there are cyber-attacks occurring frequently.

[00:01:53] And I'd love to hear from you, as we have this conversation today, about the specific things that you're seeing so we can help enlighten people, so they can make better decisions about where to invest when it comes to cyber and preventing unforeseen expenses as I referenced earlier. Something you said when we spoke a short time ago, which I thought was really interesting and I wonder if you could expand on it was you said that the bank sending money doesn't know if the recipient is legitimate. There's no way to verify it. So I found this really intriguing. Can you shed a little light on where you were coming from with that comment and help the listeners understand a little bit that they may not realize when it comes to authenticity of people that we're sending money to, or even if it's unintentional, as we all know, through some cyber-attacks when they happen?

[00:02:45] Kellie Spawton: Absolutely.

[00:02:46] So what I meant by that is it's actual, very literal. So it's, we don't know when we're a bank who we're sending money to. We have to count on our customer to give us that information and our customer to verify that information. Why is that? Basically privacy laws. So we can't call up a bank to find out information about an account if we're not a signer on that account.

[00:03:10] Just like you couldn't call up a bank and find out what kind of accounts Kelly Spawton has. Right? I can't call a bank and find out what kind of accounts Joe Smith's accounting firm has. So when we think about the instructions that we receive as a business to send a wire or to send an ACH payment, whatever information you're being given, it's really important to validate that information, especially if it's coming over email, especially if it's changed from what it was before.

[00:03:39] And the reason is again, because there isn't a balance or a check in place. To validate that that name and that account number one match each other and two are what we think they are. So I could have an account that's Kelly Spawton, but if I tell you, Nicole, that it's Jane's accounting firm, please go ahead and wire the funds to this account number.

[00:04:03] Everything's electronic today, right? So it's all, there aren't really people looking at it. It's entering numbers into a computer, just like we all do every day. So if you give a routing number, an account number, that's the part that matters. That's the part that is validated. Just that, yes, this is a valid account. Yes, this is a valid routing number. The routing number is what identifies the bank. The account number is what identifies the account for it to go into.

[00:04:30] So when we think about that, I can tell anyone anything I want. I can tell them that this account belongs to Jane's Accounting Firm. And if that person who's supposed to send this money to the real Jane's Accounting Firm doesn't call up Jane to find out, did you just send me these instructions? Are these instructions correct? Please validate this information. And by the way, they want to call up Jane at the number they have on file for her. Not the email address and not a phone number inside the email, because if that email was intercepted and changed, that information was also likely changed. So we want to make sure that we're actually talking to the person we want to send the money to when we validate that information.

[00:05:15] Nicole Lefsky: So we know we're seeing, you and I, in the professions that we have, we're seeing a lot of phishing attacks that are happening by email. And sometimes they're reaching out to an HR person. Sometimes they're reaching out to someone in accounts payable. And one of the common techniques in these emails, fraudulent emails, of course, is that there's some sort of request for a change of payment. Usually it's to wire money maybe for a payable, an invoice or the changing of a direct deposit account to an alternative or a different number.

[00:05:54] There's a perception from what you're informing us about today that people who are processing these payments and these changes are under the impression that the bank is going to check. So they think it's valid, obviously, because they're processing it. But even if it wasn't valid, they have this false sense of security from what you learned and you've seen over years in thinking, "Oh, the bank will check." and if it's fraudulent or something's wrong with it, the bank will let us know. And we as business owners need to be aware that that's not the case, that that doesn't happen anymore.

[00:06:31] Kellie Spawton: Right. I will say with that, there are, you know, different banks have different types of software that are looking for fraud. They're looking for these concerning behaviors or something that doesn't make sense. I always would teach my team and my branches that the you know, the magic question for every single thing we do is, does this transaction make sense for this customer? And if we can't answer that question, easily with the answer of yes, we need to start digging and we need to start asking more questions and we need to really make sure that this is a legitimate situation. That it's not a scam. That it's not a fraud situation.

[00:07:12] And that can go anywhere from, you know 90-year-old Mrs. Smith coming in and taking out $10,000 when all she has is $11,000 in the bank, when she's never taking cash. She doesn't take cash out.

[00:07:24] You know, it can range from something like that to a $750,000 wire from a business account that's popping on our software saying, or just they don't typically send wires one or the other. Right? So if they're coming in to send the wire and they never do wires, we're going to be questioning that. If it's popping on our software because they're using business online products to send wires. We're going to be reaching out and we're going to say, Hey, John, tell me what happened here. Tell me about this wire. This one's different for you.

[00:07:57] The bank that I used to work for, they had a software that would actually say, Hey, John has sent this wire before to this recipient, but the account number is different now.

[00:08:07] Nicole Lefsky: Are these services that you've seen across the banking industry- Are they things that the banks typically have or are there threshold amounts? Meaning, obviously, every client or customer to the bank is different. Like you said, you can have someone who never does withdrawals and someone else who has very large withdrawals or transfers on a regular basis. So it's very catered. But the services that you're referring to, are these things that a company or a controller or a CFO would need to go to their bank and say what types of additional services are available so that we can be alerted? Or are these things that are kind of rolled into day-to-day operations?

[00:08:50] Kellie Spawton: A lot of it's day to day operations. So it depends on the bank. It depends on the bank's risk tolerances. It depends on the size of the bank. What their budget is to be able to get these services. How many people they have to look at those services?

[00:09:05] So overall, unfortunately, that's not one of those where every bank is the same. There are a ton of different products and resources out there that banks use. Everybody has their favorites. Some are better at some areas than others. Some will pile on different programs from different companies to be able to get the best of both worlds or all worlds as best we can.

[00:09:29] One of the biggest challenges there is that the bad guys are really good at what they do. Not a big secret, but it's a big secret. Like, they're really, really good at it. So, the technology that's available to banks to try to find these and stop these situations is not only dependent on, you know, how quickly is it being updated? What changes are being made constantly? And what are we looking for? But also how it's, what we call tuning. So, how is it tuned? What are the thresholds involved? What type of business is it? So there's a lot of nuance and detail that goes into it to figure it out. As to what's the best way that we can help protect our customers, help protect the bank and be able to still be in business. You know, we still have to, we have to balance that safety and convenience piece so much.

[00:10:17] And I can tell you that we have had customers who we've had wires get flagged because there was something, you know, not right about it. And we call that business and they are very, very clear that they don't care and they want that wire sent. And when I say very clear, not always super nice about it to say the least. And then we find out a week later that it was a fraudulent wire. And that's one of the really painful things is that, you know, we do try to help as much as we can. Sometimes it just still goes through.

[00:10:51] Nicole Lefsky: Now in that type of situation where the customer still wanted the wire to process, was that a situation where they had been tricked by an email and they thought that like an invoice was valid or the request was valid because it looked valid or was it something else?

[00:11:08] I can give two different situations. One was a wire. It was a $750,000 wire. The other one was an ACH for $33,000. But I say an ACH. That ACH ended up getting sent six times. We stopped five of them between us and the other banks, we were able to stop five of them.

[00:11:28] So with the wire, that person received an email. Instructions were changed in the email. There were a lot of grammar and syntax errors in that email that we actually requested to see the email to say, show us this email because something just isn't right here. And they sent it through their business online product. So we they never saw a person, you know, they never spoke with a human when they, when they started this transaction and the person said, "You don't need to see the email, send the bleeping wire."

[00:12:01] So at that point we can't really stop people from sending their own money. We can't stop them from doing that. We try as best we can. And about a week later, they called up and said that that company never got the wire. And we asked, did you contact the company? "I don't need to, I know them." Okay.

[00:12:20] We're strongly recommending that you contact this company and make sure that everything is correct. And like I said, a week later. They never got that money. And then we got to see the email. Then we got to find out kind of the whole story behind it. And this person was very much tricked working on multiple things at the same time.

[00:12:41] I know none of us know what that's like, right? Multitasking. None of us ever do anything like that. Bad guys count on that too, right? They count on the fact that we're very busy. We're answering multiple emails. We're answering calls. We're doing all these different things and therefore we may not take those extra steps. That's what scammers count on. That's the key to it all. So when we can slow things down, there's the opportunity. And that's what our kind of role is, is to slow, slow everybody down a little bit and say, "Okay, hold up." Let's pause. Let's take a look. Let's talk. And sometimes people are very caught up in their business or they don't think it will happen to them.

[00:13:20] And that's a really big thing. They don't believe they'll get tricked. And that's when the money leaves.

[00:13:27] That $750,000 was a total loss to that business. Total loss. The ACH payment one, where it was about $32,000. In that situation, the business received an intercepted email, or a changed email if it were, with new instructions. We just had fraud on our account. We had to change our account number - was actually what the email said. Please send it here.

[00:13:53] Nicole Lefsky: That's a good one. Believable.

[00:13:55] Kellie Spawton: That one went out. They then emailed again and said we didn't get it. It was because they still had a freeze. They had a freeze on this account because we'd had fraud. Can you please resend? Here, send it to this one instead. That one got bounced back. The third one we caught it and we stopped it. The fourth and fifth ones were sent to already frozen accounts because it had been caught on the recipient side that these accounts were getting fraudulent transactions on them.

[00:14:23] So that customer did end up losing $32,000, but they sent out $160,000. So five times they kept receiving these emails and at no point did they say, "We should call this person. We should call this company. And see what's going on. It doesn't make sense." Right?

[00:14:41] So I would encourage every business owner to, whether it's somebody asking for financial transactions or just in general is does this make sense for this customer? For this vendor? Does this make sense? And if it doesn't make sense, or if there's something that's like, "Oh, Well, it does, but..." That's when we slow it down. That's when we start asking questions. That's when we need to dig deeper.

[00:15:03] Nicole Lefsky: What are the chances of recovering money when there's a fraudulent request that's been processed?

[00:15:12] Kellie Spawton: Part of it depends on the type of transaction it is. So there's your basic transaction - payment transactions, wires, ACH payments, checks. Time is of the essence. If it's been any length of time with a wire, as in more than a couple of hours. My old boss and mentor always used the phrase, Your chances are somewhere between slim and none, and slim has already left town. In other words, very, very low. Even when it's a couple of hours, it can be already gone.

[00:15:39] Depending also on the type of wire, the amount of the wire and whether or not it went out of the country. When you have wires that go over $100,000, the FBI has something called the Kill Chain. It has to be less than 48 hours. It has to be an international wire and it has to be over $100,000 to activate the Kill Chain. That actually can work where we can get at least a partial recovery back. The FBI has also recently created a group called the Recovery Asset Team or RAT. I would probably have chosen to call that the asset recovery team. So they could be ART, but that's just me. So the Recovery Asset Team with the FBI is really cracking down on phishing emails, business email compromise, as well as unfortunately, things like romance scans and situations like that. And they are working really hard. And we are seeing some better recoveries with that Recovery Asset Team on the wire side.

[00:16:39] Again, timing is everything. The less time that passes between the time the wire is sent and the time the banks and law enforcement know about it, the better the chances are of a recovery. I have had situations where we've seen wires go out and I'm on the phone with the bank a half an hour later. And the money's already gone.

[00:16:59] And I've had situations where we've, we had one not too long ago. We had a business who is a smaller business. It was a title agency. And they sent a fraudulent wire, about $460,000 that they sent out. That was, this was one of the smaller agencies. That was basically their income for the year was around that.

[00:17:18] And we were able to recover about a hundred thousand dollars. We found out a week after. We got a hundred thousand dollars back and we were ecstatic. We did not think we would get a dime. It'd been a week. It was actually, it was actually Thanksgiving week. As a matter of fact, that it occurred. We got this hundred thousand dollars back and we couldn't believe it.

[00:17:37] The business, of course, was not as happy, and I don't blame them. What we ended up doing with that company was providing them with a low interest loan because they were going to go out of business if they lost, if they lost this money and we were told that's it, that's all that's there. We did a lot of training with that company. Like I said, we did provide them with a very low interest loan to help them stay on their feet through this to be able to figure out what they could do next and what changes they could make and how they could get through this and stay in business. Lo and behold, three months later, the FBI Recovery Asset Team, we got a check for $340,000 as a recovery.

[00:18:15] That is rare at best, but it did happen. And so we did have this wonderful situation where that happened. I will tell you that the vast majority of times that is not the case. Like I said, with that $750,000 wire, we spoke of a few minutes ago. That was about a week later. It was like six days - gone. All of it. We did not make any recovery for that person. They had sent another wire for about $60,000. That one, we did get back. But a $750,000 is a big, big bite.

[00:18:47] Nicole Lefsky: So looking back to when this started, obviously we all play a role in educating people. You know, the purpose of this podcast is to help people, you know, our listeners consider some of the things that we discuss. So when they're making decisions around technology and their budgeting and spending, they're taking this information into account to help them make better decisions. Do you find that most of the people that you're working with are educated and it was just a matter of not taking the time because of day-to-day business and just, you know, rushing or getting bogged down with other things? And it was just one thing on the many lists, or do you find that they're just not properly educated and then it's an opportunity for you to help them understand what to look for?

[00:19:32] Kellie Spawton: I think it spans all of that. A lot can depend on the business. A lot can depend on what's happening for that business. You know, we all know what's been happening in the real estate market the past few years. So we saw a lot in the real estate areas. During COVID, we saw a lot of scams against attorneys. So things changed. And constantly change. And that's one of our biggest things, okay, what's the, what's the latest and greatest scam trend? Because there are, there are trends around it. It's a combination.

[00:20:01] And I think that education is so important, but what makes education really stick is reiterating, right? It's the testing. It's how do we then bring that into real life? If we are doing training to check a box to say, yes, we did training, look at us, it's not going to go very far.

[00:20:20] But if we make that training part of everyday life, as simple as the number of businesses I've gone into where the passwords were either on the screen or under the keyboard. When we see people who they click on anything and everything. In an email without hovering first, just to see what's there. It's all those different things where it is a combination. It's a combination of multitasking slash overwhelm, as well as what are we doing with the training?

[00:20:48] I think it goes one step beyond training and phish testing is one of the best ways to understand, I think, where the training is not sticking, if you will. In that we can do these trainings, there's all kinds of great programs out there from different companies, and we can do these trainings and a lot of times they're these short fun videos that make it a little more. It's not as tedious as sitting there clicking through a slideshow or things like that.

[00:21:15] But at the same time, how well is it being retained and what's happening there? And when we do our phish testing, that's when we can start to find out, okay, what's, what's the deal here? What's going on? And then use that to then do some more in-depth training or focused training on specific areas.

[00:21:33] Nicole Lefsky: So this leads to the next question for me, which is how do people, businesses prevent this from happening?

[00:21:41] Kellie Spawton: There's a couple of different ways. I will tell you right now, there is no, for any type of fraud, anything that's out there, there's no 100 percent cure. And I think that's really important because it means that we are all susceptible to becoming victims of different types of fraud. Whether it's a cybersecurity event, whether it's check fraud, the traditional type, whether it's debit card fraud. Unfortunately, with all of the different data breaches that have been out there over the years, and I would say, you know, really going back to the Experian breach back in 2017, I believe it was, all of our information is out there.

[00:22:19] So it means that it is more likely than not that we are going to be either have an attempt at somebody committing fraud against us or have fraud committed against us. So it's really that awareness that our information is there. We need to do the best we can to protect it. We need to do the best we can to protect our money And the banks are in the same business. We want to protect your information and your money. That's what we're here for.

[00:22:45] To me, I think it's really educating your team and yourself about what's out there. Understanding most importantly, that yeah, it can, and likely will happen. I've seen extremely smart, extremely accomplished people be taken in or tricked or whatever the case may be by bad guys.

[00:23:10] So I think it's really, really important to have the understanding that while we are all experts in our fields - Nicole, you're a phenomenal cyber expert. I'm a pretty darn good fraud expert. Each of our businesses out there are experts in what they do. Bad guys are too. This is what they do for a living, just like what we all do for a living. And we're proud of what we do as we should be. I know the bad guys are pretty proud of what they do. I don't know that they should be, but they are excellent at their jobs. Excellent.

[00:23:44] Nicole Lefsky: It's happening. It's real. It's happening to businesses of all sizes, as you indicated, and you've given some really helpful concrete tips as well as examples, of course.

[00:23:55] How often would you recommend that companies reach out to their bank? I mean, with the ever changing and increasing amount of crime, fraud, cybercrime. Would you recommend that they reach out to the commercial side of their bank and build a relationship with them so they're kept abreast of any new services that may be available?

[00:24:14] Kellie Spawton: I think so. Yes. Yeah, for sure. Every bank has their, you know, whether they're considered a business development group, a cash management group, a treasury group. Of course they're all called different things because, you know, why would it all be the same everywhere? But that's what makes it fun. And here's what's important. If you have a loan, a commercial loan, you have a lender, you have a relationship manager. They will know who the experts are for you to talk to in their bank. If you have a branch manager or a branch employee, who's your favorite one, who you see every week when you make your deposits or who you talk to fairly regularly for whatever reason, they're going to know who you should talk to, to get the best information possible. So you may not have a direct contact with a quote business banker, but you have a contact at your bank who will help you find the best person for you to talk to. I think a couple of times a year is probably really good. At least once a year, but at least a couple of times a year, I think is a pretty good way to handle it.

[00:25:13] Check out some of the different websites that are out there. The FBI, the FTC, that can help you understand kind of what's happening, what's going on out there today. What's the most popular scam right now? It's kind of disturbing information, but you get some stories that can be kind of fun to read too. And more importantly, you're getting education so that you can look at what's happening in your world. What's happening in your business. Any trade associations. So if you're a municipality, you know, there's the New Jersey municipal groups. If you're a title agency, there's all kinds of these different trade associations that will have great information on their websites about what are the scam trends we see today and taking some time once a month. Take an hour once a month to take a look at what's going on out there and then look at what are you doing in your business and what can you do a little bit differently? What's one very small thing you can change that could help?

[00:26:09] Nicole Lefsky: That's great. Thank you so much, Kelly. You offered some wonderful advice. Really appreciate it. If any listeners today would like to reach out to you and ask you a question here or there, what's the best way for them to reach you?

[00:26:23] Kellie Spawton: I would say probably LinkedIn is the easiest way. So it's Kellie Spawton, K E L L I E. My LinkedIn isn't fully updated. I did recently move, so I'm still working through all my different contact information right now. But LinkedIn is a great way to reach me if you have any questions or if there's anything I can do to help or provide any assistance with training or anything like that.

[00:26:42] Nicole Lefsky: That's great. Well, I want to thank you for all of the great advice and information that you shared today with our listeners and hopefully, moving forward, everyone will be better armed with knowledge and help in making them make smart decisions around technology and running their companies. So thank you so much for joining me on this episode.

[00:27:03] Kellie Spawton: Nicole, it's been an honor. Thank you.

[00:27:05] Jersey IT Group: You've been listening to Smart Tech Spending hosted by Nicole Lefsky.

[00:27:10] Make sure you never miss an episode by subscribing in your favorite podcast player. And if you enjoyed this episode, we'd appreciate it if you'd rate and review the show. Thanks for listening.

People on this episode

Nicole Lefsky

Host