FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic

Fraudsters will take advantage of any opportunity to steal your money, personal information, or both. Right now, they are using the uncertainty surrounding the COVID-19 pandemic to further their efforts, warns the FBI.

According to the FBI, recently, there has been an increase in business email compromise (BEC) frauds, a scam that target anyone who performs legitimate funds transfers. These BEC frauds are targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19.

The FBI notes some recent examples of BEC attempts, including:

A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer, requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because their regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.

“As the workforce moves from the office to their homes, hackers are mobilizing; they know this is a golden opportunity to strike as companies struggle to contain their expanded attack surface. Organizations must be on high alert for any sort of phishing or social engineering-style attack as hackers are attempting to exploit the weakest link of any security program, the humans," says Arun Kothanath, Chief Security Strategist at Clango.

Terence Jackson, Chief Information Security Officer at Thycotic, says, "Since PPE’s are in short supply and states are in bidding wars to obtain them, this has presented an opportunity for hackers to target municipalities with emails of promises and false hopes while delivering malicious payloads. They are playing on the desperation of municipalities to obtain these life-saving items. During these difficult times, we have to be even more vigilant with investigating emails and verifying their legitimacy before making any type of online purchases, wire transfers, etc."

"One way for organizations to prevent their employees from falling victim to these scams is to ensure that they cannot execute the attackers’ requests," says Kothanath. "Roles and policies govern an identity’s privileges and entitlements throughout an organization. If the roles and policies in place are driven by best practices, rules will exist to prevent identities from acquiring toxic combinations of privileges – such as a low-level accountant being able to modify a payment’s transfer date and recipient and then immediately distributing the payment."

"Humans are the weakest link in any security program," adds Kothanath, "but organizations can protect themselves by implementing an identity management program with roles and policies driven by best practices.”

Mark Chaplin, Principal at the Information Security Forum, notes that “BEC attacks and similar threat scenarios need to be clearly understood before protective measures are implemented. This will ensure protection reflects the nature and scale of the risk to the organization and is balanced, comprehensive and effective."

Moving forward, Chaplin recommends that organizations move away from blaming the individual as the cause of the problem and "adopt an approach that is more focused on protecting employees from BEC-related emails and making them part of the solution. Additionally, quantify the effectiveness of each security measure deployed to protect against BEC-related attacks and use this information to inform broader risk management activities and decisions."

"Finally, provide balanced protection, combining technical security controls with the establishment of a security-positive culture. Empower employees to complement protection against BEC and similar attacks," Chaplin says.

In addition, to protect yourself from this fraud, the FBI advises to be on the lookout for the following red flags:

Unexplained urgency
Last minute changes in wire instructions or recipient account information
Last minute changes in established communication platforms or email account addresses
Communications only in email and refusal to communicate via telephone or online voice or video platforms
Requests for advanced payment of services when not previously required
Requests from employees to change direct deposit information

The FBI also recommends the following tips to help protect yourself and assets:

Be skeptical of last minute changes in wiring instructions or recipient account information.
Verify any changes and Information via the contact on file—do not contact the vendor through the number provided in the email.
Ensure the URL in emails is associated with the business it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.