FIGH T BACK! TIP
Amanda Horowitz is a writer,
businesswoman and owner
of Fight Back! She is the
daughter of Fight Back’s
founder, David Horowitz.
Fight Back! has received
multiple Emmy Awards
and awards from more than
;;; government and citizen
groups and has helped to
draft over ;; pieces of
in the United States.
Horowitz can be contacted
Please include “Consumer
Connection” in the subject
line. She will select questions
to answer in this column
but regrets that unpublished
questions cannot be answered
MORE IN ARCHIVES
search “Consumer Connection.”
Please note that Amanda Horowitz
and Fight Back! are not licensed
professionals in any field. If you are
seeking professional advice, you should
consult with your own licensed
professional. Amanda Horowitz and
Fight Back! do not assume any liability
or responsibility for the interpretation,
application or accuracy of any
BUSINESSES CONTINUE to fall victim to the
business email compromise (BEC) scam, a
financial cyberthreat that has resulted in billions of dollars of global losses. The FBI warns
that companies and organizations of all sizes in
different industries all over the world have been
targets of the scheme, from well-known corporations and nonprofits to churches and school
systems. Understanding and anticipating the
scam can help prevent losses.
Ways the scam is perpetrated
Crime groups use a variety of sophisticated
techniques to trick victims into making payments or sending wire transfers to them. They
infiltrate a company’s network through phish-ing or a malware attack, which allows them to
access financial account information and passwords and to study vendors, contact lists, billing
systems and employee email communication
styles. Scammers may then:
Hack an executive’s email and use it to send
requests—for W-; or personally identifiable
information—to the chief financial officer,
human resources, finance department, a bookkeeper, controller or accountant. The email tells
the recipient that the information is necessary
for “tax audit purposes.” The stolen data is then
used to commit other forms of identity theft,
such as filing fraudulent tax returns and applying for loans or credit cards.
Spoof or hack an executive’s email and
use it to ask an employee responsible for processing wire transfer requests to send money
to a trusted vendor, directing it to a fraud-ster-controlled bank account. In some cases,
scammers request funds directly from a financial institution.
Mimic a supplier with whom a business has a
long-standing relationship and ask to have
funds for an invoice payment wired to a fraud-
ster-controlled bank account.
Identify themselves as lawyers or representatives of a law firm and claim to be handling a
time-sensitive or confidential matter. Communications at the end of the business day or workweek are timed to coincide with the close of
business of international financial institutions
so transactions will not be stopped.
Hack title, escrow or real estate companies
to monitor real estate proceedings and target
buyers, sellers, agents and lawyers for money.
Buyers think they are wiring a do wn payment on
a dream home but instead are sending their life
savings to scammers.
Safeguarding your business
The FBI suggests that the easiest way to
thwart BEC scams is to implement a two-step
verification strategy for fund transfers or pay-
ments that does not rely on email. Company
personnel should verify face-to-face or voice-to-
voice that communications are indeed with a
legitimate business associate. Require a second-
ary signoff by company personnel to verify
changes in vendor bank account information or
payment location. Here are other suggested pro-
• Educate company personnel about cyber-
crime and the intricacies of BEC scams.
• Implement two-step verification for email
access, including for free web-based email.
• Register all business domain names that
are slightly different from your company’s
domain name and create rules for an intrusion
detection system that flags email variations so
scammers cannot, for example, use fraudulent
xyz-company.com to imitate your business’s
• Pay attention to variations on a legitimate
email address. For example, a scammer could
imitate the legitimate email address john.kelly@
xyzcompany.com with the fraudulent email
• Scrutinize financial email requests to
determine if they are out of the ordinary. Stay
updated on your customers’ habits, including
the details and reasons behind payments.
• Create an email rule to flag communications where the “reply” address is different
from the “from” address.
• Avoid posting company job duties or
descriptions, hierarchal information, or out-of-office details to social media. Scammers can use
the information for BEC attacks. C
Don’t fall for a business email scam
IF YOU ARE A VICTIM: Act fast. If the fraud is
not discovered quickly, money may be hard to
recover because criminal groups use laundering techniques and money mules (typically
romance and lottery scam victims) to make
cash hard to trace.
Contact your financial institution immediately and ask it to contact the financial
institution where money was sent.
Contact your local FBI office ( fbi.gov/
contact-us/field-offices). The FBI may be able
to help freeze or return the funds.
File a complaint with the FBI’s Internet
Crime Complaint Center ( bec.ic3.gov).—AH