What the FTC is Doing

The FTC and FDA have jointly issued warning letters to seven sellers of unapproved and misbranded products, claiming they can treat or prevent the Coronavirus. The companies’ products include teas, essential oils, and colloidal silver.

Avoid Coronavirus Scams

So what is “Phishing”?

Phishing is a tactic that criminals use to lure and gain access to your personal and business financial information. Criminals send emails on the fly, purporting to be from reputable companies, such as yours, to induce individuals within and outside of your business to reveal personal information such as passwords, account numbers, etc.

Think it won’t happen to you?

According to the FBI’s 2018 Internet Crime Report, Washington State ranked #6 in the count of victims by state; and #13 in total loss by victim per state.
Still feeling confident? If you are not worried about potentially losing $64,000, then you have no need to continue to read on.

Last year alone the average loss was $64,000, up from $43,000 the year prior.

So what can you do to help detect, deter and prevent yourself from becoming a statistic?

First and foremost, before you act and respond to any email, make certain that the email came from a correct and authorized sender before you send a wire, change a payroll account, pay an invoice, purchase gift cards, etc.

According to the FBI, Business Email Compromise is significantly on the rise. This type of scam targeting companies who conduct wire transfers, have suppliers abroad and do direct deposit payroll. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers.
Some of the sample email messages have a subject line containing words such as urgent, direct deposit, request, payment, transfer, among others. Based on FBI, there are 5 types of BEC scams:

• The Bogus Invoice Scheme- Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
• CEO Fraud- Attackers pose as the company CEO, business owner or executive and send an email to employees in finance, requesting them to transfer money to the account they control.
• Account Compromise-An executive, business owner or employee email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
• Data Theft- Employees in HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
• Attorney Impersonation- Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day.

Here is an example of how it works.

The Setup:

The Players

• Elizabeth: The CEO being impersonated by the thief. Some simple research is done prior to sending this innocuous email to discover the victim’s name, if they are out of the office and a rough idea of a request that would not raise a red flag.
• Jill: The Secondary victim is a key employee of the company, usually in the finance department, that the thief is targeting to enable the fraud to occur. Prior to the setup, research is performed on the target organization to determine whom is enabled to transfer/wire funds.
• Thief: the perpetrator in this example. They likely have altered the name displayed in email to match the victim but NOT the actual email address. More skilled criminals will use fake email domain such as @yah00.com instead of @yahoo.com even purchasing the domain to cement their ruse. In very sophisticated attacks, they can spoof or replicate the CEO’s exact email.

The Heist

With Jill believing the email came from the CEO she transfers / wires the money directly to the thief’s account.
The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Do not rely on email alone.

 

What can you do? The FBI has issued various tips on how to protect yourself, but one easy way is as follows: have your company start a policy of requiring verbal and/or fax confirmation of all wire transfers. The policy would require the initial written direction be received by email, but before the wire will be initiated your authorized employee would fax and/or call the person directing the wire and receive a secondary verbal confirmation, preferably live confirmation and not simply a voicemail. This may slow down your process, but it will also stop the scam in its tracks.
Similar practices can be applied to stop other scams. Such as, if a change to a payroll account is received via email; verbally confirm the request is valid with the employee. If a vendor emails updated payment/invoice information to a new bank and/or bank account; verbally verify with the vendor the change is authentic.

Some other recommendations from the FBI:

• Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
• Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
• Confirm requests for transfers of funds. When using phone and/or fax verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the email request.
• Conduct employee security awareness training and implement other security protection policies and programs to ensure your business and employees implement and maintain careful business practices to avoid being victims to these and other types of cybercrimes and scams.
• Know the habits of your customers, including the details of, reasons behind, and amount of payments.
• Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email ofabc_company.com would flag fraudulent email of abc-company.com.
• Register all company domains that are slightly different than the actual company domain.

What should you do if you are a victim? If funds are transferred to a fraudulent account, it is important to act quickly:

• Contact your financial institution immediately upon discovering the fraudulent transfer.
• Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
• Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
• File a complaint, regardless of dollar loss, at www.IC3.gov.

For more information and ways to protect your business from fraud, please visit the Federal Bureau of Investigation Internet Crime Complaint Center (IC3) or Federal Trade Commission (FTC) Small Business Website

 

Resources and References

FBI 2018 Internet Crime Report: https://www.ic3.gov/AnnualReport/Reports/2018_ic3report.pdf

DOJ/FBI – BEC Public Service Announcement: https://www.ic3.gov/media/2016/160614.aspx

Data Insider Digital Guardian’s Blog: https://digitalguardian.com/blog/bec-scams-responsible-12b-losses-2018

FTC – Protecting Small Businesses: https://www.ftc.gov/tips-advice/business-center/small-businesses

Shopping Online Infographic

Follow these tips for hassle-free online shopping: get the details, pay by credit card, keep records, and protect your personal and financial information.

• Get the Details
• Pay by Credit Card
• Keep Records
• Protect Your Information
• How to Report Online Shopping Fraud

Get the Details

Know who you’re dealing with.

Anyone can set up shop online under almost any name. Confirm the online seller’s physical address and phone number in case you have questions or problems. And if you get an email or pop-up message that asks for your financial information while you’re browsing, don’t reply or follow the link. Legitimate companies don’t ask for information that way.

Know what you’re buying.

Read the seller’s description of the product closely, especially the fine print. Words like “refurbished,” “vintage,” or “close-out” may indicate that the product is in less-than-mint condition, while name-brand items with bargain basement prices could be counterfeits.

Know what it will cost.

Check out websites that offer price comparisons and then compare “apples to apples.” Factor shipping and handling into the total cost of your purchase. Do not send cash or money transfers under any circumstances.

Check out the terms of the deal, like refund policies and delivery dates.

Can you return the item for a full refund if you’re not satisfied?  If you return it, who pays the shipping costs or restocking fees, and when you will get your order? A Federal Trade Commission (FTC) rule requires sellers to ship items as promised or within 30 days after the order date if no specific date is promised. Many sites offer tracking options, so you can see exactly where your purchase is and estimate when you’ll get it.

Pay by credit card.

If you pay by credit or charge card online, your transaction will be protected by the Fair Credit Billing Act. Under this law, you can dispute charges under certain circumstances and temporarily withhold payment while the creditor investigates them. In the event that someone uses your credit card without your permission, your liability generally is limited to the first $50 in charges. Some companies guarantee that you won’t be held responsible for any unauthorized charges made to your card online; some cards provide additional warranty, return, and purchase protection benefits.

Keep Records.

Print or save records of your online transactions, including the product description and price, the online receipt, and the emails you send and receive from the seller. Read your credit card statements as you receive them; be on the lookout for charges that you don’t recognize.

Protect Your Information

Don’t email any financial information.

Email is not a secure method of transmitting financial information like your credit card, checking account, or Social Security number. If you begin a transaction and need to give your financial information through an organization’s website, look for indicators that the site is secure, like a URL that begins https (the “s” stands for secure). Unfortunately, no indicator is foolproof; some fraudulent sites have forged security icons.

Check the privacy policy.

Really. It should let you know what personal information the website operators are collecting, why, and how they’re going to use the information. If you can’t find a privacy policy — or if you can’t understand it – consider taking your business to another site that’s more user-friendly.

How to Report Online Shopping Fraud

If you have problems during a transaction, try to work them out directly with the seller, buyer, or site operator. If that doesn’t work, file a complaint with:

• the Federal Trade Commission at www.ftc.gov/complaint
• your state Attorney General, using contact information at naag.org
• your county or state consumer protection agency. Check the blue pages of the phone book under county and state government, or visit consumeraction.gov and look under “Where to File a Complaint.”
• the Better Business Bureau

TAXES. SECURITY. TOGETHER.

The IRS, the states and the tax industry are committed to protecting you from identity theft. We’ve strengthened our partnership to fight a common enemy – the criminals – and to devote ourselves to a common goal – serving you. Working together, we’ve made many changes to combat identity theft, and we are making progress. However, cybercriminals are constantly evolving, and so must we. The IRS is working hand-in-hand with your state revenue officials, your tax software provider and your tax preparer. But, we need your help. We need you to join with us. By taking a few simple steps, you can better protect your personal and financial data online and at home.

Please consider these steps to protect yourselves from identity thieves:

Keep Your Computer Secure

• Use security software and make sure it updates automatically; essential tools include:

• Firewall
• Virus/malware protection
• File encryption for sensitive data

• Treat your personal information like cash, don’t leave it lying around
• Check out companies to find out who you’re really dealing with
• Give personal information only over encrypted websites – look for “https” addresses
• Use strong passwords and protect them
• Back up your files

Avoid Phishing and Malware

• Avoid phishing emails, texts or calls that appear to be from the IRS and companies you know and trust, go directly to their websites instead
• Don’t open attachments in emails unless you know who sent it and what it is
• Download and install software only from websites you know and trust
• Use a pop-up blocker
• Talk to your family about safe computing

Protect Personal Information

Don’t routinely carry your social security card or documents with your SSN. Do not overshare personal information on social media. Information about past addresses, a new car, a new home and your children help identity thieves pose as you. Keep old tax returns and tax records under lock and key or encrypted if electronic. Shred tax documents before trashing.

Avoid IRS Impersonators. The IRS will not call you with threats of jail or lawsuits. The IRS will not send you an unsolicited email suggesting you have a refund or that you need to update your account. The IRS will not request any sensitive information online. These are all scams, and they are persistent. Don’t fall for them. Forward IRS-related scam emails to phishing@irs.gov. Report IRS-impersonation telephone calls at www.tigta.gov.

Additional steps:

• Check your credit report annually; check your bank and credit card statements often;
• Review your Social Security Administration records annually: Sign up for My Social Security at www.ssa.gov.
• If you are an identity theft victim whose tax account is affected, review www.irs.gov/identitytheft for details.

Information obtained from Department of the Treasury Internal Revenue Service | www.irs.gov | Publication 4524