The Costco Connection

FIGH T BACK! TIP CONSUMERCONNECTION

JE RR A D M AT T HE W / © AM AN D A H OR OWI T Z ME DI A

AMANDA HOROWITZ

Amanda Horowitz is a writer, businesswoman and owner of Fight Back! She is the daughter of Fight Back’s founder, David Horowitz.

Fight Back! has received multiple Emmy Awards and awards from more than ;;; government and citizen groups and has helped to draft over ;; pieces of consumer-related legislation in the United States.

Horowitz can be contacted at Amanda@fightback.com. Please include “Consumer Connection” in the subject line. She will select questions to answer in this column but regrets that unpublished questions cannot be answered individually.

MORE IN ARCHIVES

At costcoconnection.com, search “Consumer Connection.”

Please note that Amanda Horowitz and Fight Back! are not licensed professionals in any field. If you are seeking professional advice, you should consult with your own licensed professional. Amanda Horowitz and Fight Back! do not assume any liability or responsibility for the interpretation, application or accuracy of any information provided.

BUSINESSES CONTINUE to fall victim to the business email compromise (BEC) scam, a financial cyberthreat that has resulted in billions of dollars of global losses. The FBI warns that companies and organizations of all sizes in different industries all over the world have been targets of the scheme, from well-known corporations and nonprofits to churches and school systems. Understanding and anticipating the scam can help prevent losses.

Ways the scam is perpetrated

Crime groups use a variety of sophisticated techniques to trick victims into making payments or sending wire transfers to them. They infiltrate a company’s network through phish-ing or a malware attack, which allows them to access financial account information and passwords and to study vendors, contact lists, billing systems and employee email communication styles. Scammers may then:

Hack an executive’s email and use it to send requests—for W-; or personally identifiable information—to the chief financial officer, human resources, finance department, a bookkeeper, controller or accountant. The email tells the recipient that the information is necessary for “tax audit purposes.” The stolen data is then used to commit other forms of identity theft, such as filing fraudulent tax returns and applying for loans or credit cards.

Spoof or hack an executive’s email and use it to ask an employee responsible for processing wire transfer requests to send money to a trusted vendor, directing it to a fraud-ster-controlled bank account. In some cases, scammers request funds directly from a financial institution.

Mimic a supplier with whom a business has a
long-standing relationship and ask to have
funds for an invoice payment wired to a fraud-
ster-controlled bank account.

Identify themselves as lawyers or representatives of a law firm and claim to be handling a time-sensitive or confidential matter. Communications at the end of the business day or workweek are timed to coincide with the close of business of international financial institutions so transactions will not be stopped.

Hack title, escrow or real estate companies to monitor real estate proceedings and target buyers, sellers, agents and lawyers for money. Buyers think they are wiring a do wn payment on a dream home but instead are sending their life savings to scammers.

Safeguarding your business

The FBI suggests that the easiest way to
thwart BEC scams is to implement a two-step
verification strategy for fund transfers or pay-
ments that does not rely on email. Company
personnel should verify face-to-face or voice-to-
voice that communications are indeed with a
legitimate business associate. Require a second-
ary signoff by company personnel to verify
changes in vendor bank account information or
payment location. Here are other suggested pro-
tection methods:
• Educate company personnel about cyber-
crime and the intricacies of BEC scams.

• Implement two-step verification for email access, including for free web-based email.

• Register all business domain names that are slightly different from your company’s domain name and create rules for an intrusion detection system that flags email variations so scammers cannot, for example, use fraudulent xyz-company.com to imitate your business’s legitimate xyz_company.com.

• Pay attention to variations on a legitimate email address. For example, a scammer could imitate the legitimate email address john.kelly@ xyzcompany.com with the fraudulent email address john.kelley@xyzcompany.com.

• Scrutinize financial email requests to determine if they are out of the ordinary. Stay updated on your customers’ habits, including the details and reasons behind payments.

• Create an email rule to flag communications where the “reply” address is different from the “from” address.

• Avoid posting company job duties or descriptions, hierarchal information, or out-of-office details to social media. Scammers can use the information for BEC attacks. C

No compromise
Don’t fall for a business email scam

IF YOU ARE A VICTIM: Act fast. If the fraud is not discovered quickly, money may be hard to recover because criminal groups use laundering techniques and money mules (typically romance and lottery scam victims) to make cash hard to trace.