I had my identity stolen. Here’s how you can avoid the same predicament.
Leah Colby, O.D.
Instead of sharing an internal marketing tip this month, I’ve decided to impart my experience as a victim of business identity theft. My hope is that doing so prevents you, my colleagues, from going through it. By taking three steps each month, or quarter, my experience could have been avoided.
I practice in a moderate-sized town northwest of Minneapolis and do business with several “small town” banks. I see most of the banks’ employees and owners as patients. I rub elbows with them on the football and baseball fields, and we are often at the same community fundraisers every other month.
A few days before Thanksgiving, as I was signing off on my weekly stack of bills at five minutes before 5 p.m. (that’s when anything bad is going to happen right?), I logged into my accounting software and saw a balance that was markedly smaller than I anticipated. When I looked into the banking detail, I saw a withdrawal for more than $50,000 from the account and, in a sweat, I called my banker. What transpired was unbelievable. In it’s condensed version, it went something like this:
Me: Um… Jane (as in Doe, to protect her identity), I think we have a serious error with our account. It’s missing a lot of money.
Jane: Well, you sent me an e-mail yesterday asking for an international wire transfer for some new equipment, and I have your signature.
Me: Well, that wasn’t from me…
Panic and chaos ensued.
Although the investigation into this theft has yet to be completed, and in all likelihood, it will never be “case closed,” it turns out that someone got my e-mail signature (the one with my hours and “Like us on Facebook” logo) and a copy of my professional signature. Then, they sent my bank an e-mail claiming I was in a meeting until 5:30 p.m. and unreachable. The employee at the bank promptly gave the thief my account balance and offered to extend my line of credit to help with the purchase (which they thankfully declined). Then, the thief “Photoshopped” my professional signature into the authorization line, faxed it back, and bam. Money gone.
This scam is a business variation of the classic case of “fishing.” We’ve all received those
e-mails from that long-lost cousin or prince in some foreign country, stating that if you send them $10,000, they will send you millions in return.
What is so profound about this case is that everything about the e-mail and transaction “looked” like me, except for the improper English, punctuation, chopped off signature and the fact that I sign my professional correspondence with “O.D.” — not my business correspondence. Also, it was shocking that no one at the bank thought to call our office to confirm my absence before they delivered the funds.
Friendly, but flawed
After doing some research, I found out that my warm and friendly small town bank doesn’t have hard and fast rules about wire transfers, and they do indeed allow e-mail requests for wire transfers.
When I called my big-box banker and asked about their policy on wire transfers, the bank’s representative actually laughed at my current situation and told me the bank’s policy was that for any transfers more than $1,000.00, the customer has to show up in person with two forms of ID before the bank would even consider transferring the dough.
Lessons to share
Here are the three lessons I learned from the identity theft, so you can preclude it from happening to you:
1. Be aware of your banks’ policies on wire transfers. Knowing the employees and owner(s) of your bank(s) really well doesn’t equate to your money being safe from this, among other scams. Therefore, know your bank policy on wire transfers.
2. Change your passwords frequently. Don’t leave any room for chance. I have personally decided to change my passwords for my business-critical sites monthly. The general recommendation is quarterly to twice a year. Keep this quote in mind: “Let us not be content to wait and see what will happen, but give us the determination to make the right things happen” – Horace Mann, American educator, author and politician.
3. Ask your IT support about their security measures. Make sure you know for a fact that you and your practice data are protected. If you didn’t already know this, Windows XP is set to stop upgrading its patches in the next few months, which will leave you seriously vulnerable to hacking. Make sure you talk to your IT people now.
After the fact
My practice is in the process of changing our account numbers... with the same bank. I know what you’re thinking: “How could you stick with the same bank?” The answer is that the bank was able to recover the money, due to the Thanksgiving holiday delay, and at the end of the day, these same people have taken really great care of our business in the last 11 years. Oh, and I will likely get a REALLY good rate on my next loan. Just kidding. But it could happen. OM
Optometric Management, Volume: 49 , Issue: February 2014