Email spoofs: Criminals posing as your government examiner
Imagine the humiliation of having to confess that your company had a data breach and inadvertently sent hundreds of loan files chock full of nonpublic personal information directly to a criminal posing as your friendly government examiner. That would not be a good day at the office.
How could this happen and what steps can you take to prevent this nightmare? This scenario could easily occur because companies with multiple state licenses have become accustomed to the constant succession of state regulators conducting routine examinations. Moreover, to save travel costs, many states now conduct examinations remotely for out-of-state licensees.
The introductory email from the alleged examiner always begins the same way: “Hello, my name is Pat Regulator, and I will be the examiner in charge of your upcoming regulatory examination for the state of Utopia. Please provide me with an alphabetical list of all loans closed in calendar years 2014 and 2015.”
It would not be difficult for this standard introductory email to be spoofed. Spoofing occurs when an imposter forges an email address to fool you into thinking you are corresponding with Pat.Regulator@Utopia.State.Gov when you are really corresponding with a criminal trying to steal confidential financial information.
Before you know it, you are off to the races, providing Pat with your income statement, balance sheet, a list of all cash accounts with bank account numbers, the general ledger balance — the list goes on. Two days later, you receive an email from Pat asking you to provide 100 loan files, and you do so without hesitation.
Here are dos and don’ts to help you verify the identity and credentials of examiners conducting remote examinations.
- Do check the state’s official employee phone directory and search for the examiner’s name. This website provides links to each state’s employee phone directory.
- Do call the state regulator using the phone number on the department’s official website, and ask the chief examiner to verify that you are being examined by the person claiming to be your examiner. The Conference of State Banker Supervisors’ website lists contact information for every state’s banking department. Chief examiners are accustomed to these calls and will verify that the individual is a real examiner for the state and that you are, indeed, being remotely examined.
- Don’t verify the examiner’s identity by calling phone numbers provided by the examiner in the introductory email. Those numbers could easily be spoofed just like the email address.
- Don’t use unencrypted email to deliver documents during your remote examination. Some states have set up secure file sharing solutions, which are password protected and encrypted. If a state does not offer secure means of delivering documents electronically, offer to provide a password protected disc with the requested information. Documents sent via unsecure and unencrypted email can be intercepted and stolen.
Just as you ask to see the credentials of examiners who conduct on-site examinations, so too should you verify the identity and credentials of examiners who conduct remote examinations. Ask for proof before handing over nonpublic personal information to complete strangers claiming to be your friendly government examiner.Download PDF