According to a recent notification from the FBI’s Cyber Division, the precipitous increase in remote work instigated by the COVID-19 pandemic has also caused a resurgence in Business Email Compromise (BEC) Schemes.
In BEC scams, cybercriminals target employees with emails that appear to be from management or vendors the employee works with or communicates with regularly. In some instances, the criminals will spoof an email account or domain to fool a victim into believing they are getting an email message from their direct manager. For example, firstname.lastname@example.org vs. email@example.com is just different enough a busy employee may not notice the difference. In other cases, the cybercriminal will successfully compromise an email account and have the ability to send the scams from the actual email address of a manager or c-suite level executive.
There are a variety of BEC scams:
- In this BEC, an employee receives what appears to be an invoice from a vendor or a manager. Additionally, the email indicates the vendor has changed its banking account and provides a new account number to remit funds. Several Higher Education Institutions have fallen prey to this scam.
- A scam that grew in popularity in 2017 and seeing a resurgence convinces employees to purchase hundreds of dollars in iTunes or gift cards and send the gift card numbers via email or text. An employee working from home may receive an email (or a text) that appears to be from their manager. The manager indicates they are on a critical phone call but needs 500 dollars of gift cards and asks the employee to get the cards and send the numbers to them. Promising, of course, to repay them right away. In 2017 and 2018, scammers targeted Higher Education very successfully, and the current conditions have caused this scam to be once again successful.
- In this scam, cybercriminals using a fake or compromised email impersonate a lawyer in an attempt to gather sensitive business, personal or financial information.
In the event you receive such an email, consider the following tips:
- : When receiving an email requesting a money transfer or for sensitive information, instead of hitting ‘Reply,’ use ‘Forward’ to send it to the intended recipient. This method can help you avoid falling victim to a BEC scam that utilizes a spoofed domain
- : Ensure there is a formal process for high-risk transactions such as wire transfers and requests for sensitive documentation.
- Email is a gateway into your computer and personal information, so make sure you only open emails or attachments from known senders and, in general, be wary of emails with attachments. Before clicking links sent in an email, ensure you know the email sender is verified and authentic.
- Fraud is ever-changing; keep up to date with the latest fraud trends by visiting online information security sources or contacting the SEMO Information Security Officer.
Author: Bill Green
Graphics Courtesy of Freepik