BBB serving Central East Texas advises businesses to be aware of Business Email Compromise (BEC) scams which have stolen sensitive employee information and cost businesses across the U.S. millions of dollars. The schemes typically involve phony or “spoofed” email instructions that appear to be from high-ranking company officials, often a CEO. The emails instruct employees to wire cash or provide information such as W-2 wage and tax statements. The schemes target a wide variety of businesses, from large corporations to small businesses to nonprofit groups.
BEC scams take many forms, but a common one is cybercriminals sending emails pretending to be the boss. Justin Huffaker, Vice President of Strategic Technology for Datamax, a BBB Accredited Business, describes malicious efforts like this as social engineering. These efforts are increasingly targeting end users, making employee awareness and education an essential part of any cybersecurity strategy.
Huffaker provides one example of how a social engineered scam might work:
- A cybercriminal scans a company website to determine who the senior leadership team is (business owners, presidents, CEOs)
- The cybercriminal places calls into the company to determine names of key people in human resources and finance departments
- The cybercriminal sets up a fake email address using the real name of the most senior people in the company
- The cybercriminal sends email messages to the key people in the human resources and finance departments requesting a list of IRS W-2 filing data that is being prepared for all employees
- The human resource or finance department people receive this message, respond to the email, and provide the data as requested
The Federal Bureau of Investigations (FBI) recently announced that it received more than 166,000 victim complaints with worldwide losses of over $26 billion to BEC wire transfer schemes from June 2016 through July 2019.
“Several East Texas organizations have fallen prey to this scam,” Mechele Agbayani Mills, President and CEO of BBB Serving Central East Texas said. “Making sure your staff is aware of the red flags is key to minimizing your business’ chances of becoming victimized.”
The following tips can help companies protect themselves from the schemes:
- Ramp up prevention efforts in the form of fraud awareness training for employees and robust technical prevention controls.
- Create a solid business continuity plan in the event of a BEC scam.
- Confirm all requests for fund transfers. When verifying by phone, use known phone numbers, not numbers provided by the email request.
- Carefully scrutinize all email requests for fund transfers or sensitive employee information to determine whether they are legitimate. For instance, review the “Reply To” to ensure the email address is actually from your organization. Be aware of lookalike domains.
- Review email logs, with automated tools if possible, looking for potentially suspicious fake “executive” emails from free email service providers.
- If you are victimized in a wire transfer scheme, contact your financial institution as soon as you learn of the theft.
- Contact your local FBI office if you detect the wire transfer scheme quickly. Contact the IRS if you learn that tax information has been compromised. · File a complaint at www.IC3.gov.
“This is not a sophisticated scam. However, it is an effective and profitable one and it happens to an increasing number of companies across America each year,” Huffaker said. “There are immediate steps that can be put in place to minimize such a risk. Some of these steps involve the adoption of simple operational procedures and employee training and do not require the acquisition of expensive computer servers and other hardware.”