GONE PHISHING!

So what is “Phishing”?

Phishing is a tactic that criminals use to lure and gain access to your personal and business financial information. Criminals send emails on the fly, purporting to be from reputable companies, such as yours, to induce individuals within and outside of your business to reveal personal information such as passwords, account numbers, etc.

Think it won’t happen to you?

According to the FBI’s 2018 Internet Crime Report, Washington State ranked #6 in the count of victims by state; and #13 in total loss by victim per state.
Still feeling confident? If you are not worried about potentially losing $64,000, then you have no need to continue to read on.

Last year alone the average loss was $64,000, up from $43,000 the year prior.

So what can you do to help detect, deter and prevent yourself from becoming a statistic?

First and foremost, before you act and respond to any email, make certain that the email came from a correct and authorized sender before you send a wire, change a payroll account, pay an invoice, purchase gift cards, etc.

According to the FBI, Business Email Compromise is significantly on the rise. This type of scam targeting companies who conduct wire transfers, have suppliers abroad and do direct deposit payroll. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers.
Some of the sample email messages have a subject line containing words such as urgent, direct deposit, request, payment, transfer, among others. Based on FBI, there are 5 types of BEC scams:

  • The Bogus Invoice Scheme- Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
  • CEO Fraud- Attackers pose as the company CEO, business owner or executive and send an email to employees in finance, requesting them to transfer money to the account they control.
  • Account Compromise-An executive, business owner or employee email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
  • Data Theft- Employees in HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
  • Attorney Impersonation- Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day.

Here is an example of how it works.

The Setup:

The Players

  • Elizabeth: The CEO being impersonated by the thief. Some simple research is done prior to sending this innocuous email to discover the victim’s name, if they are out of the office and a rough idea of a request that would not raise a red flag.
  • Jill: The Secondary victim is a key employee of the company, usually in the finance department, that the thief is targeting to enable the fraud to occur. Prior to the setup, research is performed on the target organization to determine whom is enabled to transfer/wire funds.
  • Thief: the perpetrator in this example. They likely have altered the name displayed in email to match the victim but NOT the actual email address. More skilled criminals will use fake email domain such as @yah00.com instead of @yahoo.com even purchasing the domain to cement their ruse. In very sophisticated attacks, they can spoof or replicate the CEO’s exact email.


The Heist

With Jill believing the email came from the CEO she transfers / wires the money directly to the thief’s account.
The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Do not rely on email alone.

 

What can you do? The FBI has issued various tips on how to protect yourself, but one easy way is as follows: have your company start a policy of requiring verbal and/or fax confirmation of all wire transfers. The policy would require the initial written direction be received by email, but before the wire will be initiated your authorized employee would fax and/or call the person directing the wire and receive a secondary verbal confirmation, preferably live confirmation and not simply a voicemail. This may slow down your process, but it will also stop the scam in its tracks.
Similar practices can be applied to stop other scams. Such as, if a change to a payroll account is received via email; verbally confirm the request is valid with the employee. If a vendor emails updated payment/invoice information to a new bank and/or bank account; verbally verify with the vendor the change is authentic.

Some other recommendations from the FBI:

  • Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
  • Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
  • Confirm requests for transfers of funds. When using phone and/or fax verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the email request.
  • Conduct employee security awareness training and implement other security protection policies and programs to ensure your business and employees implement and maintain careful business practices to avoid being victims to these and other types of cybercrimes and scams.
  • Know the habits of your customers, including the details of, reasons behind, and amount of payments.
  • Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email ofabc_company.com would flag fraudulent email of abc-company.com.
  • Register all company domains that are slightly different than the actual company domain.

What should you do if you are a victim? If funds are transferred to a fraudulent account, it is important to act quickly:

  • Contact your financial institution immediately upon discovering the fraudulent transfer.
  • Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
  • Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
  • File a complaint, regardless of dollar loss, at www.IC3.gov.

For more information and ways to protect your business from fraud, please visit the Federal Bureau of Investigation Internet Crime Complaint Center (IC3) or Federal Trade Commission (FTC) Small Business Website

 

Resources and References

FBI 2018 Internet Crime Report: https://pdf.ic3.gov/2018_IC3Report.pdf

DOJ/FBI – BEC Public Service Announcement: https://www.ic3.gov/media/2016/160614.aspx

Data Insider Digital Guardian’s Blog: https://digitalguardian.com/blog/bec-scams-responsible-12b-losses-2018

FTC – Protecting Small Businesses: https://www.ftc.gov/tips-advice/business-center/small-businesses