By knowing the signs of money mule activity, you can protect yourself and your community, and avoid assisting fraudsters.
February 11, 2021
Mountain Pacific Bank has been made aware of a data breach at the State Auditor’s Office (SAO) involving data that may have been stolen from their third-party vendor. While Mountain Pacific Bank systems have not been breached or hacked, the data with the SAO includes personal information for more than a million individuals who filed unemployment claims in 2020, as well as other information from some state agencies and local governments. In all, roughly 1.6 million claims are likely impacted.
For more information on the latest Washington State Auditor’s Office data breach, you can monitor their response page at https://sao.wa.gov/breach2021/
Mountain Pacific Bank would like to take this time to remind you of the services offered that can help you monitor your accounts.
Enroll in personal online banking services. This allows you to view balance and transaction information and can help you identify unauthorized activity quickly. Click Here
Enroll in E-Statements. This service allows for secure delivery of your Bank periodic statement and eliminates the risk of your financial statement being stolen from your mailbox. E-Statement enrollment is completed through your online banking profile.
If there is anything that we can do to assist you, please call 425-263-3500 weekdays between the hours of 8:30am and 5pm.
Check out this PDF from the Federal Trade Commission about how to avoid small business scams.
Check out this PDF from the Federal Trade Commission about how to avoid Imposter scams.
Checks from the Government
by Jennifer Leach
Associate Director, Division of Consumer and Business Education, FTC
As the Coronavirus takes a growing toll on people’s pocketbooks, there are reports that the government will soon be sending money by check or direct deposit to each of us. The details are still being worked out, but there are a few really important things to know, no matter what this looks like.
Learn More >
What the FTC is Doing
The FTC and FDA have jointly issued warning letters to seven sellers of unapproved and misbranded products, claiming they can treat or prevent the Coronavirus. The companies’ products include teas, essential oils, and colloidal silver.
Avoid Coronavirus Scams
Here’s how they work:
You get a call from someone who says she’s from the IRS. She says that you owe back taxes. She threatens to sue you, arrest or deport you, or revoke your license if you don’t pay right away. She tells you to put money on a prepaid debit card and give her the card numbers.
The caller may know some of your Social Security number. And your caller ID might show a Washington, DC area code. But is it really the IRS calling?
No. The real IRS won’t ask you to pay with prepaid debit cards or wire transfers. They also won’t ask for a credit card over the phone. And when the IRS first contacts you about unpaid taxes,
they do it by mail, not by phone. And caller IDs can be faked.
Here’s what you can do:
- Stop. Don’t wire money or pay with a prepaid debit card. Once you send it, the money is gone. If you have tax questions, go to irs.gov or call the
IRS at 800-829-1040.
- Pass this information on to a friend. You may not have gotten one of these calls, but the chances are you know someone who has.
Please Report Scams
If you spot a scam, please report it to the Federal Trade Commission.
- Call the FTC at 1-877-FTC-HELP
(1-877-382-4357) or TTY 1-866-653-4261
- Go online: ftc.gov/complaint
Your complaint can help protect other people.
By filing a complaint, you can help the FTC’s investigators identify the imposters and stop them before they can get someone’s hard-earned money. It really makes a difference.
Resource: Federal Trade Commission | ftc.gov/PassItOn
So what is “Phishing”?
Phishing is a tactic that criminals use to lure and gain access to your personal and business financial information. Criminals send emails on the fly, purporting to be from reputable companies, such as yours, to induce individuals within and outside of your business to reveal personal information such as passwords, account numbers, etc.
Think it won’t happen to you?
According to the FBI’s 2018 Internet Crime Report, Washington State ranked #6 in the count of victims by state; and #13 in total loss by victim per state.
Still feeling confident? If you are not worried about potentially losing $64,000, then you have no need to continue to read on.
Last year alone the average loss was $64,000, up from $43,000 the year prior.
So what can you do to help detect, deter and prevent yourself from becoming a statistic?
First and foremost, before you act and respond to any email, make certain that the email came from a correct and authorized sender before you send a wire, change a payroll account, pay an invoice, purchase gift cards, etc.
According to the FBI, Business Email Compromise is significantly on the rise. This type of scam targeting companies who conduct wire transfers, have suppliers abroad and do direct deposit payroll. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers.
Some of the sample email messages have a subject line containing words such as urgent, direct deposit, request, payment, transfer, among others. Based on FBI, there are 5 types of BEC scams:
- The Bogus Invoice Scheme- Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
- CEO Fraud- Attackers pose as the company CEO, business owner or executive and send an email to employees in finance, requesting them to transfer money to the account they control.
- Account Compromise-An executive, business owner or employee email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
- Data Theft- Employees in HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
- Attorney Impersonation- Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day.
Here is an example of how it works.
- Elizabeth: The CEO being impersonated by the thief. Some simple research is done prior to sending this innocuous email to discover the victim’s name, if they are out of the office and a rough idea of a request that would not raise a red flag.
- Jill: The Secondary victim is a key employee of the company, usually in the finance department, that the thief is targeting to enable the fraud to occur. Prior to the setup, research is performed on the target organization to determine whom is enabled to transfer/wire funds.
- Thief: the perpetrator in this example. They likely have altered the name displayed in email to match the victim but NOT the actual email address. More skilled criminals will use fake email domain such as @yah00.com instead of @yahoo.com even purchasing the domain to cement their ruse. In very sophisticated attacks, they can spoof or replicate the CEO’s exact email.
With Jill believing the email came from the CEO she transfers / wires the money directly to the thief’s account.
The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Do not rely on email alone.
What can you do? The FBI has issued various tips on how to protect yourself, but one easy way is as follows: have your company start a policy of requiring verbal and/or fax confirmation of all wire transfers. The policy would require the initial written direction be received by email, but before the wire will be initiated your authorized employee would fax and/or call the person directing the wire and receive a secondary verbal confirmation, preferably live confirmation and not simply a voicemail. This may slow down your process, but it will also stop the scam in its tracks.
Similar practices can be applied to stop other scams. Such as, if a change to a payroll account is received via email; verbally confirm the request is valid with the employee. If a vendor emails updated payment/invoice information to a new bank and/or bank account; verbally verify with the vendor the change is authentic.
Some other recommendations from the FBI:
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
- Confirm requests for transfers of funds. When using phone and/or fax verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the email request.
- Conduct employee security awareness training and implement other security protection policies and programs to ensure your business and employees implement and maintain careful business practices to avoid being victims to these and other types of cybercrimes and scams.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email ofabc_company.com would flag fraudulent email of abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
What should you do if you are a victim? If funds are transferred to a fraudulent account, it is important to act quickly:
- Contact your financial institution immediately upon discovering the fraudulent transfer.
- Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
- Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
- File a complaint, regardless of dollar loss, at www.IC3.gov.
For more information and ways to protect your business from fraud, please visit the Federal Bureau of Investigation Internet Crime Complaint Center (IC3) or Federal Trade Commission (FTC) Small Business Website
Resources and References
FBI 2018 Internet Crime Report: https://pdf.ic3.gov/2018_IC3Report.pdf
DOJ/FBI – BEC Public Service Announcement: https://www.ic3.gov/media/2016/160614.aspx
Data Insider Digital Guardian’s Blog: https://digitalguardian.com/blog/bec-scams-responsible-12b-losses-2018
FTC – Protecting Small Businesses: https://www.ftc.gov/tips-advice/business-center/small-businesses
Tax Identity Theft Awareness
Tax identity theft happens when someone uses your Social Security number (SSN) to get a tax refund or a job. You might find out it’s happened when you get a letter from the IRS saying that more than one tax return was filed with your SSN, or IRS records show you earned income from an employer you don’t know. The IRS may also reject your
To help fight tax identity theft:
• File your return as early in the tax season as you can.
• Use a secure internet connection if you file electronically or mail your tax return from the post office.
Dealing with Tax-Related Identity Theft
If the IRS sends a notice or letter saying that someone used your SSN to get a tax refund, or saying there’s another problem, respond quickly and follow the instructions in the letter.
• Call the IRS using the telephone number given in the letter. Visit the IRS’s guide, IRS Identity Theft Victim Assistance: How It Works, for more information.
• If you think someone used your SSN to file for a tax refund, but you haven’t gotten a letter from the IRS, use IdentityTheft.gov to report it to the IRS and FTC and get a recovery plan.
• Visit IdentityTheft.gov to complete an IRS Identity Theft Affidavit (IRS Form 14039) and submit it to the IRS online so that the IRS can begin resolving your case. You’ll also be reporting the identity theft to the FTC.
Other Steps to Repair Identity Theft
It is important to limit the potential damage from identity theft.
• Put a fraud alert on your credit reports.
• Order your free credit reports and close any new accounts opened in your name.
• Consider placing a credit freeze on your credit reports.