Four scams to avoid and some Fraud-stopping tips to review
BEC scams, also known as “Man in the Middle” scams, have contributed to a significant rise in cybercrime in 2020. BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
Please review these BEC scams below so you can be more vigilant in protecting your business accounts. We also recommend sharing this information with your employees and colleagues.
1. Vendor Scam
Scam concept: vendors are paying invoices on request from business employee whose email was compromised.
How it works: An employee of a business has his/her personal email hacked. Requests for invoice payments to fraudulent bank accounts are sent from this employee’s email account to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.
2. The Invoice Scam
Scam concept: an email comes from a vendor with request to wire funds for invoice payment to a specific (fraudulent) bank account. This scam is also known as “The Bogus Invoice Scam,” “The Supplier Swindle,” and “Invoice Modification Scam.”
How it works: A business receives a request to wire funds for invoice payment. Request may be made via telephone, fax, or email. If an email is received, the subject will spoof the email request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request.
3. CEO Scam
Scam concept: An employee transfers money to another financial institution on fake request from company’s CEO or another executive received via email. This scam is also known as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Fraud.”
How it works: The email accounts of business executives (CFO, CTO, etc.) are spoofed or hacked. A request for a wire transfer from that email address is made to another employee within the company who is normally in charge of processing requests from executives and payments; typically, someone from Accounts Payable.
In a modified version of this scam, in cases where criminals who have access to email account can identify established financial institution contacts in this employee’s contact list, an email request may be sent from compromised email address directly to the financial institution with request to send funds to a specific (fraudulent) bank for a certain reason.
4. HR Data Scam
Scam concept: Victim receives a fraudulent e-mail requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information (PII).
How it works: These fraudulent requests are typically sent during tax season, yet they do not appear to be connected to other types of tax scams. An employee in the business organization responsible for the paperwork such as W-2 and other PII documents in HR, bookkeeping or auditing section, receives a bogus request for paperwork containing Personally Identifiable Information (PII) from a compromised HR or a business executive email address, prior to a traditional BEC incident.
If you suspect that you or your business have been a victim of a BEC or online fraud, you may file a complaint directly with FBI Internet Crime Complaint Center.
Quick Tips to avoid Business Banking Fraud:
Set up e-mail alerts on your account to be notified when money is withdrawn from your business account. The FASTER you will be aware of any fraudulent charges, the better your chances are of stopping the hacker. If you contact the bank IMMEDIATELY, you have a high probability of keeping your money.
Remember to always archive or destroy copies of checks and paperwork that contains the only two pieces of information criminals need to steal money through ACH Fraud: Your business checking account number and a bank routing number.
ALWAYS require YOUR signature for all wire transfers.
Only use business debit card for Point of Sale purchases you make in person, and never use debit cards for online transactions.
If you have received a letter, call, text, or e-mail asking for an account change or remit to payment address change or update, call the business to ensure the request is coming from them and is legitimate. Many fraudsters set up phony accounts and ACH transfer destinations.
Separate or split your money into several accounts to minimize the risk of fraud. Consider using a separate accounts for paychecks and online bill pay.
Have professional, reliable cybersecurity protection, not just for the computer dedicated to banking, but your entire business computer network both from the office and remotely.
John Limbach is COO at River Run. River Run provides exceptional IT and security Managed Services experiences for hundreds of businesses in the Midwest.
Share this article