Imagine you work in the accounting department and get a phone call from the boss. He needs you to transfer some money. No big deal, you’ve done this before. The problem is this happened recently and the caller was fake. In an instant, almost $250,000 was sent to scammers.
It’s not just phone calls. The bad guys know that the easiest way to get into a computer or even a server is through phishing scams. It takes just one person in a business or organization to click open a bad link in an email to set the malware devils loose.
However, the vast majority of these phishing scams want money. For years, these treacherous emails were easy to spot but they are now becoming increasingly sophisticated. Phishing emails can now look as if they come from your company’s CEO or human resources and even big corporate names are not protected.
A Better Business Bureau (BBB) study shows how prevalent and bold these phishing scams are becoming.
The sender looks very familiar
An email from your CEO is enough to put your heart in your throat, especially if it’s directed right at you. But before you dutifully open that link or follow your boss’ request, stop and think.
BBB’s study, appropriately titled “Is That Email Really From ‘The Boss?’ The Explosion of Business Email Compromise (BEC) Scams,” finds that the scams have cost businesses and other organizations more than $3 billion since 2016. The scams hit big and small businesses, nonprofits and even governmental organizations.
Under a BEC fraud, the scammer poses as a reliable source who sends an email from a spoofed or hacked account to an accountant or chief financial officer (CFO) asking them to wire money.
This type of fraud has tripled over the last three years, jumping 50% in the first three months of 2019 compared to the same period in 2018. Last year, 80% of businesses received at least one of these emails.
The average BEC loss involving wire transfers is $35,000. But don’t think tech-savvy companies are immune from these sorts of attacks. Google and Facebook lost more than $100 million to BEC fraud before the scammer was arrested in 2017.
Be on the lookout for 6 new types of fraud
According to the FBI, there are at least six types of BEC or email account compromise fraud:
- The “CEO” asking the CFO to wire money to someone.
- A vendor or supplier requesting a change in invoice payment.
- Executives requesting copies of employee tax information.
- Senior employees asking to have their pay deposited into a new bank account.
- An employer or clergy asking the email recipients to buy gift cards on their behalf.
- A realtor or title company redirecting proceeds from a sale into a new account.
These types of targeted email phishing scams are also sometimes called spear phishing.
Related: Warning! Watch out for these email subject lines … they could be phishing attacks
One such scam could have cost a real estate agent thousands of dollars. In Illinois, the buyer of a house received an email that appeared to come from the real estate agent selling the house.
The email asked the buyer to wire the funds to a specified account even though the buyer was told to bring a certified check to the closing. Luckily, the buyer ignored the email.
However, the email could have fooled more trusting people as it contained the actual closing price of the house and an attached PDF showing the letterhead of the real company handling the transaction. The real estate company’s clients are now warned to call the title company or real estate agent if they receive instructions to wire closing money.
Another nefarious scheme is to trick HR departments into changing an employee’s direct deposit account — one that gives the money straight to thieves. KVC Health Systems, a nonprofit child welfare agency based in Kansas City, received these types of phishing emails around two or three times per month.
These scams work because the con artists are sending emails that mirror those of the company they are trying to steal from. Grammatical errors have virtually disappeared and some can even capture the casual tone a CEO may use with a colleague.
Who’s really sending that phishy email?
The nation that brought us the Nigerian prince scam is also largely responsible for a good portion of the new BEC scams. According to the BBB report, the majority of those arrested or charged for BEC fraud in the U.S. over the last three years are of Nigerian origin. About 90% of BEC groups operate out of Nigeria.
To make a scam workable, the con artists need the names of people within an organization, their job titles and email usernames and passwords. They then send emails directly to people, impersonating a trusted superior or partner seeking money. They can do this using a fake email address or domain name or even by hacking a real person’s email account.
The FBI is fighting back. Since Aug. 22, 360 people who are believed to be responsible for almost $10 million in business losses have been arrested in the U.S., Nigeria and other countries.
You know this, but…
For the BBB, the most important thing is to get your employees trained. Always have them double-check if they receive an email asking them to transfer or wire any money — even if the email comes from the big boss, call. Also, warn employees not to click on attachments from unfamiliar senders.
Here at Komando.com, we’re always on the watch for new types of phishing scams. Here are tips we have that businesses can use to protect themselves and their employees:
- Check incoming email addresses carefully, especially when they demand financial transactions. Even a single missing character could be the difference between a real email and a fake one.
- Look for recurring subject lines like “Request,” “Follow-up,” “Urgent/Important,” “Are you available?/Are you at your desk?” and others.
- Verify messages from your boss requesting money transfers, gift card purchases and any request involving sensitive company information. Go see them in person or call them.
- Don’t click on web links or attachments in any suspicious emails.
- IT must make sure your employees are aware of these types of attacks to begin and implement proper training. So, get them on board too!
Share the knowledge
This is important intel for you to know and share with your family and friends. After all, knowledge is power. Post a link to this security alert on your social media accounts. People will thank you!