The Business Email Compromise scam continues to be an effective scam perpetrated against many companies, however recently one alleged criminal operating this scam has been arrested.  Daniel Adekunie Ojo, was charged with fraud and identity theft in regard to using this scam against school systems in Connecticut and Minnesota.
Generally this scam involves an email to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with which the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.
In a variation of this scam, Ojo, posing as a school official asked for W-2s of all employees and received thousands of these documents which he used for purposes of income tax identify theft by filing phony income tax returns in the names of his victims and collected phony refunds based upon counterfeit W-2s that he submitted with the phony tax returns.
In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam. Finally, employees should be specifically educated about this scam in order to be on the lookout for it.
Companies should also be protective of personal information such as W-2s and should not provide it electronically unless they have confirmed that the request for the documentation is legitimate.