Business scams targeting lower level employees with some control of company purse strings have skyrocketed in the last few years, according to the Better Business Bureau.
In a press release Thursday, BBB said a study found business email compromise (BEC) scams have risen in frequency, costing Canadian businesses and organizations $34 million since 2016.
BECs are email phishing expeditions that target C-level staff of businesses, government and non-profit organizations who authorize payments or pay bills, according to BBB.
Scammers pose as a reliable source in emails from a spoofed or hacked account to an accountant, chief executive officer, chief financial officer or other staff, BBB said in the release. The emails ask them to wire money, buy gift cards or send personal information, often giving a plausible reason for the request. If the money is sent, it goes into an account controlled by the scammer.
“The study found that fraudsters need the names of people within an organization, their job function as well as their email, username and password, often obtained with illicit open-source tools, free trials or lead-generation services,” said the release.
“They must send emails directly to an individual, often impersonating a trusted superior or partner, by using a fake email address or domain name, or by hacking a real person’s email account. The scammers also need a way to obtain money sent by victims, often via money mules.”
There are at least six main types of BEC scams, sometimes called “spear phishing,” differing based on who appears to be the email sender:
• a CEO asking the CFO to wire money to someone;
• a vendor or supplier requesting a change in invoice payment;
• executives requesting copies of employee tax information;
• senior employees seeking to have their pay deposited into a new bank account;
• an employer asking the recipient to buy gift cards on their behalf;
• and even a real estate agent or title company redirecting proceeds from a real estate sale into a new account.
The study found 80% of North American businesses received at least one BEC email and Canadians reported $6 million in losses in 2018. The Canadian Anti-Fraud Centre reported it had received more than 1,200 reports with $34 million in losses since 2016. In the first five months of 2019, it had received reports totalling $9 million in losses. The BBB believes these numbers are the tip of the iceberg because much of this type of fraud is not reported.
The BBB report determined the average loss involving wire transfers is $46,000 while that of gift cards is $1,300 too $2,600.
“The majority of persons who have been arrested or charged for BEC fraud in North America over the last three years are of Nigerian origin,” said the BBB release. “The study finds that 90% of BEC groups operate out of Nigeria, with other Nigerian fraud groups operating from the U.S., Canada and many other countries. While Nigeria has a long tradition of consumer fraud, Ghana is also a significant source of activity.”
BBB makes the following recommendations to combat spear phishing:
• Take technical precautions such as multi-factor authentication for email logins. Changes should also be made to email settings so that all emails coming from outside an organization are flagged with a warning.
• Verify changes to the information for customers, employees or vendors.
• Limit the number of times people can enter incorrect login information without having to contact an administrator. This will stop brute force attacks that try many different passwords until they find one that works.
• Confirm requests by phone before acting and train all employees in internet security.
• Email system providers should consider enabling additional features, including default settings with more security.
• Retail businesses selling gift cards can train employees to warn potential victims they are commonly used as payment methods for frauds.
Any organization that believes it has been a victim of a BEC fraud should notify their bank immediately to stop payment, and report it to the anti-fraud centre and BBB. There’s a chance of getting the money back if a report is filed within 48 hours. The BBB also said it is important to report report unsuccessful BEC attempts because they may help establish patterns or identify money mule bank accounts.
newsroom@tricitynews.com
