Power-Sonic’s Solution To Business Email Compromise

Power-Sonic
Business Snapshot:

Power-Sonic has been a leader in the battery storage industry for nearly 50 years, providing a range of battery and power storage solutions. Its battery products can be found in industries and applications in more than 70 countries worldwide.

Business Leader:

Suzanne Chennault, Corporate Controller and Director of Finance

Headquarters:

Reno, Nevada

Download PDF

It started with a last-minute request from one of battery manufacturer Power-Sonic’s main suppliers on a Friday. The request, on customer letterhead, explained that the supplier had been exposed to fraud, so the supplier had set up a new account and needed to update their account information.

In reality, a cybercriminal had hacked the supplier’s domain, obtained client information and saw an upcoming scheduled transaction in the payment portal. Less than four minutes later, a new domain had been established and the hacker was able to intercept any communications between the two organizations, resulting in a financial loss for the company.

After a formal investigation, the only clue pointing to fraud throughout the incident was one inconsistent letter in the sender’s email address. Such slight variations on legitimate email addresses, such as changing or adding one letter, are an increasingly common technique used in business email compromise scams. These emails trick victims into thinking fake accounts are authentic, and instead direct the victim to the hacker.

The amount of time and effort spent to recover lost funds — on the supplier’s side and Power-Sonic’s — was substantial. This process is often made even more difficult when doing business internationally. In this case, the foreign bank involved would not address a potential fraud issue or freeze accounts until further verification could be completed.

“It was definitely an eye-opener for us,” explains Suzanne Chennault, Power-Sonic Corporate Controller and Director of Finance. “If you are sending a wire internationally, there’s fraud involved and you don’t catch it, you’re not getting that money back.”

"Everyone needs to know who we’re getting information from and how to make sure that it’s right."
Suzanne Chennault, Corporate Controller and Director of Finance Power-Sonic

In this situation, Power-Sonic was able to mitigate the loss thanks to its cyber insurance policy.

As a company that does a lot of business through the internet and electronically, Power-Sonic fortunately was covered under a cyber insurance policy, but many organizations, especially those that do less international business, are not protected.

“We treat cybersecurity like we treat our cargo freight. Our cargo is very important to us. Our products come from China, Malaysia and Vietnam, so if something happens to a cargo ship — which has happened in the past — we need to protect ourselves because once that freight gets loaded on a ship, it’s ours. We treat cyber insurance the same way.”

The experience prompted Power-Sonic to take further fraud prevention measures. “Immediately after, Enterprise gave us great ideas on processes to implement to boost our fraud prevention and make sure we vet incoming information as best as possible.” For example, if an existing supplier needs to change their bank information, verbal verification is required. The team will call the vendor or supplier directly to verify the request.

User education is another critical piece. “Not only do we teach fraud detection to team members that work with cash or money, but we’re also educating our sales and customer service teams,” Chennault says. “Everyone needs to know who we’re getting information from and how to make sure that it’s right.”

Strengthening company firewalls is also an important step. “One of the phishing emails we get on a regular basis are emails that look to be from our CEO saying a wire needs to be sent urgently. When an employee sees something from their CEO, they jump through hoops to take care of them.”

This is where user education comes into play. Employees should know how to examine emails for potential phishing threats and also understand company policies regarding how such requests, if legitimate, would be handled.

“For every phishing email you block, there are 15 more that come through with the same request,” Chennault says. Mitigating the risk of falling victim to a phishing scam requires tightening your firewalls, but in most cases, training your people is always going to be an important piece of the puzzle.