Internet criminals concoct all sorts of ways to steal money from unsuspecting Minnesota internet users. According to the FBI, internet criminals have recently come up with a way to infiltrate the emails of company employees and non-profit workers to get them to hand over their money. This scheme is known as a business e-mail compromise (BEC). To date, this internet crime has resulted in billions of dollars of losses to victims.
A BEC scam functions much like phishing scams, except it is more elaborate. Scammers target individuals that have access to financial assets and trick them into transferring money to a seemingly legitimate bank account, but in reality the account is owned by the scammers. BEC scammers will usually break into a company computer system and harvest information about its employees. The scammer will identify a victim and then send that person an an email that appears to be an authentic company email urging the victim to send money to a seemingly reputable vendor.
BEC emails generally proclaim their messages as urgent and sensitive. If you receive an email urging you to quickly send a payment, suspicion is warranted. Also, no one should assume the email is genuine simply because it does not contain malware. It is true that many phishing emails contain an .exe file that can expose your computer to a malicious program, but many BEC emails do not need to carry malware to carry out their schemes. However, the fact that you have received a BEC email could be a sign your company’s system has been compromised by malware in the first place.
According to Tripwire.com, one way to spot a BEC email is to look closely at the email address. Your company’s email domain may contain “companyname” in it, but then you look at an email and discover it actually reads “company_name.” Since this email domain contains an underscore, the email is inauthentic. It is likely the result of another email domain set up specifically to spoof the company email to make you think it is a genuine company email. Spoofed email domains may alter a letter from the original email domain, or add an underscore or a hyphen, anything to differentiate it slightly so the difference cannot be spotted so easily.
In the event you receive a suspicious email, it is best to verify that the requested money transfer is genuine. If you receive an email supposedly from a CFO, email the CFO back using an email you know is authentic. Suspicious emails should not be replied to directly because the scammer will receive it and not the person the scammer is impersonating. For added verification, you may have to see your superior in person.