Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.
There are several common wire transfer fraud scams going around and new ones are being created every single day.
Employees at all types of companies are targeted with phishing email messages all the time. It’s not just Fortune 500 companies, but small businesses are also targeted. While a large company may be able to survive financially, small organizations often go out of business if an employee falls for a phishing scam.
Early in 2018, the City of Pittsburg, Pennsylvania was hit with a phishing attack resulting in theft of information from W-2s. In 2016, something similar happened at Seagate and Snapchat. In all of these, the criminals managed to get information on employees by sending an email pretending to be a C-Level executive and asking for the information contained on W-2 forms or asking for the W-2 forms specifically.
In both 2016 and 2017, the eSignature service, DocuSign was used in another attack that used previous email conversations to distribute malware in phishing campaigns. It was used again in a similar way, but omitting the malware. Instead, it phished for legitimate employee information and acquired, it was used to infiltrate email conversations again and find out about active projects or current payments. With such specific information, employees are more likely to click or visit a website.
When it comes to business accounts, large amounts of money can be wired out all the time. And if a request is made by a high level person for one to be made or for credentials to be shared, it can be uncomfortable to question it. However, when the funds and login credentials of the corporate accounts are at risk for theft, it’s important to be skeptical if something just doesn’t seem right or asks you to bypass typical procedures.
While the above are still common, there are some new kids on the block too. We will discuss a few of the scams that can catch employees and others out here, so you will know what to look for when determining if a suspicious request could be this type of fraud.
Paycheck Direct Deposit Redirect Scams
The Better Business Bureau identified a newer scam early in 2018 where employees were sent an email seemingly from their payroll department or company asking them to take a survey. When they clicked the included link or went to a specified website, they were asked to confirm the employee’s identity by typing in his or her password or other sensitive credentials. Once those login credentials were entered, hackers used them access the employer’s payment portal. From there, the direct deposit paycheck was rerouted to another account.
Real Estate Scams
One that has started gaining popularity among the scammers deals with real estate transactions. The scammers will find out names of escrow companies, break into their networks or perform social engineering scams and get information related to upcoming transactions. They then will email homebuyers or those refinancing a home and ask them to change the account number on the wire instructions for an upcoming transaction regarding their loan. This is common in states where real-estate prices are high, but it can happen to anyone, anywhere. Even if a refinance isn’t in the millions, it can still be a great payday for a scammer.
What someone who has permissions to perform wire transfers needs to be aware of is that a last-minute request for this really shouldn’t happen. Always call the escrow company.
Other scams use payment services such as PayPal or Venmo to take advantage of others. One happens when people receive a check in the mail and are asked to deposit it into their own bank accounts. This may seem like an easy scam to spot, but the ruse is that they are being “hired” to perform a temporary service to test the quality of one of these services. Part of it involves having the victims wire most of the money they deposited into another account in order to provide this feedback to the company. However, as payment for this testing service, they get to keep some of it for themselves as payment for a job well done. As you guessed it, the money is stolen and it is all a big moneymaking scam involving wire transfers.
While it may seem obvious to some that this is a sham, for some being paid for the service and the whole explanation of the review process makes a lot of sense and may not be so obvious. What someone at a financial institution needs to look out for is a deviation in typical deposits, withdrawals, and transfers.
Vendor Invoice and Services Scams
You have probably received an invoice in your email at some point. Vendors send invoices in email quite often these days. And nearly everyone uses a shipping service such as FedEx or UPS, especially at the office. Scammers take advantage of that fact by sending fake invoices hoping someone will pay them. There are even scams that use actual PayPal accounts and company logos. Often these will include links to fake web pages asking for bank account logins so that the “invoice” can be paid directly from the account.
There are many variations of wire transfer fraud these days. Though they are somewhat new in the grand scheme of cyber fraud, they have changed quite a lot since the beginning. They started out using the names, email addresses, and other details of C-level executives. For example, they would gather information off of various business networking websites or even by calling the receptionist at the company to find out the names. Then, they would gather other information, such as who works in the finance department. They would use this information in social engineering scams by sending email to that finance department employee asking for a large sum of money to be wired to some account. The scam worked if the money was wired without question.
We get it. You don’t want to question the boss. However, won’t the CEO be happier if you asked if that request was real before sending a bunch of money off to a scammer? And if it is a real request, you will feel better knowing so.
Detection and Prevention
There are some ways to spot and prevent wire transfer fraud or BEC from happening in your workplace:
– First, remember that if you are not expecting a link or attachment in an email, just don’t open it without verifying it first. The best way to confirm is to place a phone call. Get that verbal OK.
– Don’t bypass policies and procedures for wire transfers, no matter who asks. Those are in place for a reason and should always be followed.
– If a request to wire money or pay an invoice gives a sense of urgency and/or if there is a threat of something happening if you don’t pay it, it is likely a scam. Stop. Verify it first with the requestor. There is nothing so urgent you can’t take a moment to place a quick phone call just to make sure.
– If you are not expecting to receive an invoice from any company, yet you receive one in email, take a moment to confirm it first. Contact the vendor or the person(s) who made the purchase before even clicking a link or attachment and certainly before sending money.
– Remember that if you are contacting a requestor, use a phone number or email address you know is legitimate. Don’t count on the information sent in an email being real. Cybercriminals are actually making scams a business and setting up call centers to receive these “verification” calls.
– If you have a transaction set up and get a last minute request to change it, definitely take a minute to check with your financial institutions. Most of the time, wire instructions are not changed that quickly or with such a sense of urgency. It is OK to question these, and you should.
– Lastly, if you receive a sum of money in the mail and are asked to deposit it in your own account, don’t. Legitimate companies won’t ask you to go to such lengths to test a service.
Remember that no amount of technology can prevent 100% of the phishing emails from getting through. The cybercriminals are just getting too good at bypassing those. But by being aware of the verbiage used, the greetings, the logos, the little nuances in the wording or visuals, and of course being skeptical if a link or attachment is not anticipated, you can avoid falling for these scams.
Stickley on Security
Published March 21, 2019