The Federal Bureau of Investigation is expecting an increase in the frequency of scams related to the current COVID-19 pandemic, including those involving business email compromise (BEC).
A type of fraud targeting those in charge of performing legitimate funds transfers for a company, BEC scams aim to trick unsuspecting victims into sending money to the attackers.
In BEC attacks, the victim typically receives an email apparently arriving from a company they normally conduct business with, requesting payments be made to a new account, or demanding a change in the standard payment operations.
According to the FBI, losses from BEC scams surpassed $1.7 billion in 2019, and are only expected to increase. More recently, there has been an increase in BEC attacks targeting municipalities purchasing personal protective equipment or other supplies for the ongoing coronavirus crisis.
One of the most recent examples of BEC fraud targeted a financial institution with an email allegedly arriving from the CEO of a company and related to a previously scheduled transfer of $1 million. The message requested the transfer date be moved up and to a new account, due to the COVID-19 situation.
In another incident, a bank customer received a message from an alleged client in China, requesting that all invoice payments be changed to a different bank, claiming that their regular accounts could not be accessed due to audits. Several transfers were made to the new bank before the fraud was discovered.
To stay protected from this type of fraud, organizations should look for specific red flags, including an unexplained urgency, last minute changes in wire details or in established communication platforms, refusal to communicate via telephone or online voice/video services, requests for advanced payment of services if previously such payment was not required, and requests to change direct deposit information.
According to the FBI, being skeptical of any last minute changes in wiring instructions and verifying all such changes via the contact on file could help avoid falling victim to fraud. To stay protected, users should also make sure that URLs in emails are associated with the business they claim to be from, should be wary of hyperlinks that may contain misspellings of the actual domain name, and should verify the email address used to send emails.
Immediately after discovering that they might have fallen victim to a fraudulent incident, users should contact their financial institution to request a recall of funds, and should also report the issue to the employer. Victims are advised to also file a complaint with the FBI’s Internet Crime Complaint Center as soon as possible.