Scam of the day – September 27, 2016 – Business email scammer sentenced

Whaling may be a term, when referring to cybercrime, with which you may not be familiar.  By now, everyone is aware of the term “phishing” which refers to the social engineering crime by which scammers send emails purporting to be from a legitimate source in which they lure you into either clicking on malware infected links or directly sending them money.   Often phishing emails are easy to spot because they may not be directed to you by name, but rather by a salutation, such as “Dear Customer” and not contain the type of information that would make you tend to believe that the email is legitimate. “Spear Phishing” is more refined phishing where the scammer has gathered, often through hacking of various websites and companies, personal information about you such that when you receive the phony email from the scammer it appears more legitimate.  The latest criminal version of this tactic is called “whaling” and it is a type of spear phishing aimed at the big fish.

In January of 2016 I told you about Amechi Colvis Amuegbunam, a Nigerian in the United States on a student visa being arrested and charged with wire fraud based on scamming 17 Texas companies out of more than $600,000 through whaling.  Amuegbunam is sent emails that appeared to be from high level company executives to lower level company employees who had the authority to wire funds on behalf of the company requesting that funds be wired to bank accounts he controlled.  The FBI has said that in the last two years 7,000 American companies have been swindled out of approximately 740 million dollars using this technique.

The scammers who use whaling are sophisticated criminals who gather much personal information about the companies and individuals targeted before sending their whaling emails.  They use this information to tailor their emails to make them appear legitimate.  Often they are able to gather much of this information through social media such as Facebook where people sometimes have a tendency to share too much personal information.

TIPS

In the case of Amuegbunam, one of the emails he is alleged to have sent was to a company executive for Luminant Corp which is a Texas electric utility company.  However, if the company executive had looked closely at the email address of the sender, he would have noticed that the name Luminant was misspelled in the email address so that it actually read “lumniant.”  This is an easy misspelling to miss, which is why scammers are able to get email addresses that when looked at quickly may appear to come from someone at the legitimate company, rather than a scammer.  In this particular case, had the employee noticed that the email address of the sender was not legitimate, it would have saved the company $98,550.

The lesson for companies is to both educate employees as to the telltale signs of spear phishing and whaling as well as also have a confirmation protocol in place to be followed when authorizing the wiring of funds, particularly when they are being sent to companies or individuals that their company had not done business with in the past.

As for the rest of us, we should be careful to avoid spear phishing too. Consider how information that you post on social media could be used to defraud you before you post anything and remember that personal information about you and your business accounts can also be gathered through data breaches at companies with which you do business.  Therefore, as I always advise you, never click on links in emails, send money or provide personal information in response to emails that you receive regardless of how legitimate they may appear until you have confirmed that they are indeed not scams.

As for Amuegbunam, he has been sentenced to 46 months in prison and ordered to make restitution to his victims.

Scam of the day – August 26, 2017 – Business email scammer charged

The Business Email Compromise scam continues to be an effective scam perpetrated against many companies, however recently one alleged criminal operating this scam has been arrested.  Daniel Adekunie Ojo, was charged with fraud and identity theft in regard to using this scam against school systems in Connecticut and Minnesota.

Generally this scam involves an email to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with which the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

In a variation of this scam, Ojo, posing as a school official asked for W-2s of all employees and received thousands of these documents which he used for purposes of income tax identify theft by filing phony income tax returns in the names of his victims and collected phony refunds based upon counterfeit W-2s that he submitted with the phony tax returns.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam. Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

Companies should also be protective of personal information such as W-2s and should not provide it electronically unless they have confirmed that the request for the documentation is legitimate.

Scam of the day – August 19, 2017 – Alleged scammer of Facebook and Google arraigned

In my scam of the day for December 26, 2016 I told you about the Boston Division of the FBI warning companies about a huge surge of Business E-Mail Compromise scams (BEC).  The scam involves an email sent to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with which the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on elementary psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

In March, Evaldas Rimasauskas, a Lithuanian citizen was arrested and charged with perpetrating this type of a scam against both Facebook and Google from which he was able to steal more than a hundred million dollars by posing as a Taiwanese company, Quanta Computer which is a major supplier to American high tech companies.

Now Rimasauskas has been extradited to the United States where earlier this week he was arraigned and pleaded not guilty to charges of wire fraud, money laundering and identity theft.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam. Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

Scam of the day – May 16, 2017 – Louisiana churches targeted by scammers

I have long been warning you about the Business Email Compromise scam which is costing unwary companies including Amazon and Facebook a billion dollars in just the last year according to the U.S. Secret Service.  At its essence the scam  most often involves a business receiving an email that appears to come from a corporate officer or someone with which the company does business requesting a payment be wired for an apparent legitimate bill or purpose.  Now the threat is spreading to churches. Louisiana’s Bossier Financial Crimes Task Force is warning churches that the scam has been used to victimize local churches that have received what appear to be emails from their pastors asking them to wire money to accounts and people named in the emails.  In these particular instances in Louisiana, the emails come from email addresses that appear at first glance to be that of the pastors, but a closer inspection will disclose that it is coming from a different email provider than the pastor uses.

TIPS

The Business Email Compromise scam is being used effectively against businesses, but as indicated by the attacks on the Louisiana churches, its use is spreading to churches and can be expected to spread further to being used to target other organizations and even individuals.  The key to protecting yourself, your company or your organization from this scam is to first be skeptical whenever you get a request to wire money because once money has been wired, it is gone forever which is why it is a favorite method of payment for scammers.  The second thing that we all should do is to confirm the legitimacy of any payment request before making payments of any kind.

Scam of the day – May 12, 2016 – Another BEC scam victim

In April 19th’s Scam of the day I told you about the recent FBI warning about a dramatic increase in what it calls the Business email compromise scam (BEC). The scam involves an email to the people who control payments at a targeted company.  These people receive an email purportedly from the CEO, company attorney or even a vendor with whom the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

Now we have just learned about Pomeroy Investment Corp, a Michigan investment company that lost $495,000 through this scam when one of its employees responded to an email purportedly from another employee of the company and wired $495,000 to a Hong Kong bank.

Companies both large and small have fallen for this scam, which has increased 270% in the last year and over the last couple of years has cost companies more than 2.3 billion dollars in losses. American toy manufacturer, Mattel lost three million dollars to this scam in 2015.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email.  Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam.  Finally, employees should be specifically educated about this scam in order to be on the lookout for it.