Business email compromise (BEC) is one of the leading causes of company fraud, and it’s only growing. These are phishing emails where scammers pretend to be someone who works in your company to steal important information or rip you off financially. Tap or click here for ways to spot fake business emails.
Criminals are now changing tactics to include more than just emails. They are now going after video conferencing software and apps. And with a lot of people working from home, it won’t be strange to receive an invitation to a virtual meeting.
Read on to see how scammers steal money by impersonating company executives while in a video call.
Here’s the backstory
The most common method for BEC is to breach and hijack the email address of a company executive. Once the address is in the wrong hands, criminals can pretend to be that individual and instruct lower-ranking workers to do their bidding.
It would usually take some time for the company to realize something is wrong, but most have trained staff to look for scams. That means criminals had to switch tactics, and a video call invite might not raise suspicions.
The FBI’s IC3 has seen increased virtual meetings being used as a vehicle to steal funds and information. Here are a few ways the FBI says BEC virtual meeting scams are being carried out:
- Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or deep fake audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
- Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
- Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
Those are just a few examples of scams making the rounds. There are more elaborate schemes circulating that involve Microsoft Teams.
Another concerning trend in virtual meeting software is criminals posing as co-workers to spread malicious files. Avanan warns that Microsoft Teams meetings can fall victim to hijacking, with criminals leaving malware in chat messages.
“The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer,” Avanan explains in a blog post.
How to avoid BEC scams
When you receive a meeting invitation to a platform you or your company doesn’t usually use, you need to be careful. Criminals might not know which program you prefer and send requests to the most popular ones.
The FBI gave the following suggestions to stay protected:
- Verify before joining – Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
- Increase security – Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Check the link – Ensure the URL in emails is associated with the business/individual it claims to be from.
- Ve wary of links – Be alert to hyperlinks that may contain misspellings of the actual domain name. This is a sure sign of spoofing.
- Don’t engage – Refrain from supplying login credentials or personally identifiable information (PII) of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Check the sender’s address – Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Look at bank statements regularly – Monitor your financial accounts on a regular basis for irregularities, such as missing deposits.
If you think you are the victim of fraud, immediately contact your financial institution to request a recall of funds. Regardless of the amount lost, file a complaint with www.ic3.gov or, for BEC/EAC victims, BEC.ic3.gov, as soon as possible.