Scam of the day – May 10, 2017 – Hacker pleads guilty to 6.5 million dollar scam

Obinna Obioha, a Nigerian citizen has recently pleaded guilty in federal court to hacking into the computers of American businesses around the country and stealing information that enabled him to scam the companies out of an estimated 6.5 million dollars.

While in Nigeria, Obioha used phishing emails to hack into the computers of companies around the world including the United States.  Through his monitoring of the email accounts of employees of the targeted companies, Obioha was able to recognize when commercial transactions were about to occur, at which time he would then send an email to the company from an email address just slightly different from that of a company with which his targeted company did business.  Posing as a regular business partner of his targeted company, the phony email would be used to send a phony invoice and instructions to wire the payment funds to bank accounts controlled by Obioha and his cohorts.  Obioha admitted successfully perpetrating this scam at least fifty times between January and September of 2016.  Obioha was arrested after flying to New York from Nigeria in October of 2016 and has been in custody since then.  He is now awaiting sentencing.

TIPS

Companies large and small are increasingly falling for this scam.  In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam. Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

Scam of the day – May 2, 2017 – Facebook and Google lost 100 billion dollars to a scammer

In my scam of the day for December 26, 2016 I told you about the Boston Division of the FBI warning companies about a huge surge of Business E-Mail Compromise scams (BEC).  The scam involves an email sent to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with which the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

In March, Evaldas Rimasauskas, a Lithuanian citizen was arrested and charged with perpetrating this type of a scam against both Facebook and Google from which he was able to steal more than a hundred million dollars by posing as a Taiwanese company, Quanta Computer which is a major supplier to American high tech companies.  When Rimasauskas was first indicted, the indictment did not provide the names of the companies he was alleged to have swindled nor the company he is alleged to have posed as, but a recent investigation by Fortune Magazine uncovered these facts.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam. Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

Scam of the day – February 18, 2017 – Florida man sentenced for Business email scam

Recently, Jeffrey Ihm was sentenced to eleven years and eight months in federal prison after being convicted of multiple criminal counts related to his business email scam through which he managed to steal $2,234,681.

Ihm posed in emails as executives of a number of legitimate companies, such as Roper Industries and tricked Well Fargo Bank and other financial institutions to send him the money.

This scam, which is often referred to as the business email scam has become a serious problem in the last couple of years with many companies becoming victims of the scam.

TIPS

The key for businesses is to have a protocol in place in regard to approvals necessary and verification required before paying bills, particularly when funds are requested to be wired.

The lesson also applies to all of us as individuals.  Scammers also send phony bills that appear to individuals that appear to come from companies with which we do business, but with a different address to send the money. Never send a payment to a different address from that which you have done in the past unless you have verified both the accuracy of the bill and the address.

Scam of the day – February 6, 2017 – IRS issues urgent alert about evolving W-2 scam

Income tax identity theft is a multi billion dollar problem that costs the government and, by extension,  we the taxpayers billions of dollars each year while tremendously inconveniencing the individual taxpayers whose identities are stolen as it generally takes the IRS months to fully investigate each instance of identity theft and send to the victimized taxpayer his or her legitimately owed tax refund.  Armed with a potential victim’s name and Social Security number, it is a simple matter for an income tax identity thief to file a phony return with a counterfeit W-2 to obtain a fraudulent income tax refund.

A year ago, when this scam first surfaced, I first warned you about identity thieves tricking companies into providing employee W-2s to them.  These stolen W-2s  contain all of the information the identity thieves need to file a fraudulent income tax return.  The scam works by sending phishing emails to HR and accounting departments within companies often posing as the CEO of the company or someone else in upper management requesting copies of all employee W-2s under various guises.  Other times, payroll management companies have been targeted using the same type of phishing emails.  In some instances, the phishing emails have been recognized as scams, but in other instances, companies have unwittingly handed over thousands of W-2s to clever identity thieves.

Now the IRS has issued an urgent alert indicating that the scam has evolved from merely targeting companies to school districts, non-profit organizations, restaurants, temporary staffing agencies and others.  In addition, the IRS is saying that the scammers are now combining this scam with the business email scam by which the employees receiving the email asking for W-2s to be sent are also asking the employees to wire money for various purposes.  According to IRS Commissioner John Koskinen, “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.”

TIPS

All companies have got to do a better job of training employees to recognize phishing emails and installing anti-phishing software programs.  In addition, dual factor authentication should be used before transmitting sensitive data to make sure that the person to whom the material is being sent is really who they represent they are.  These same lessons that apply to companies also apply to all of us as individuals, as well.  Phishing is done to steal the identities and information of unwary individuals every day and the best way to protect yourself is to start with remembering my motto, “trust me, you can’t trust anyone.”  Never provide personal information to anyone who asks for it by phone, text message or email unless you have absolutely confirmed that the request is legitimate and the person or company requesting the information has a legitimate need for the information.  Never click on links or download attachments from emails or text messages unless you have confirmed they are legitimate because those links and attachments could contain keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft.  Finally, keep all of your electronic devices including your smartphone up to date with the latest security software patches.

Scam of the day – April 19, 2016 – Business email scam

The FBI recently issued a warning about a dramatic increase in what it calls the Business email compromise scam (BEC).   The scam involves an email to the people who control payments at a targeted company.  These people receive an email purportedly from the CEO, company attorney or even a vendor with whom the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learnthe protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees all in an effort to adapt their message to seem more legitimate.

Companies both large and small have fallen for this scam, which has increased 270% in the last year and over the last couple of years has cost companies more than 2.3 billion dollars in losses. American toy manufacturer, Mattel lost three million dollars to this scam in 2015.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email.  Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts.  Finally, employees should be educated about this scam in order to be on the lookout for it.