Business Email "from the Boss" that Cost $215 million.html

Snippets issue spotlights email con tricks on employees and latest investment scams: Internet Scambusters #660

Phony business emails sent to finance department employees have cost firms $215 million by tricking them into wiring invoice payments to scammers.

We have the details in this week's Snippets issue, along with warnings about bogus investment newsletters and shady house-flipping programs.

And if you use one of the most popular password management programs, we'll tell you why you need to change your master password right now.

Let's get started...

Bogus Business Email Targets Employees, Costs Millions

What would you do, supposing you work in the accounts department of your employer, and you got a business email from your boss telling you to change the way you pay invoices?

Here's hoping you'd check the instruction with the boss or another key figure in the business. Otherwise, you could be playing an unwitting part in a scam that could cost the firm a fortune.

According to law enforcement officials, scammers who have hacked their way into company computer systems have been sending these redirection emails to employees in the finance section of small businesses.

They tell the employees that, instead of sending checks to specified suppliers, they now have to send the cash by electronic transfer.

We all recognize by now that wiring money can be a dangerous payment method if you don't know the person you're sending it to.

But in this case, the victims think they do know who they're sending it to, and with their guard down, fall for the scam.

According to the FBI, this scam, which they call the Business Email Compromise (BEC), cost one Tennessee company $850,000.

More Scam Reports: When a Robocall is Not (Quite) a Robocall

In another version, the scammers pose as a supplier to the company and simply ask for payment of invoices to be wired instead of being paid by check. The cash ends up overseas and cannot be recovered.

The scam, the FBI reports, is global, with victims in 45 countries and all U.S. states, and costing firms a total of $215 million.

Action: If you're in a position to make payments for your company, be on the lookout for these scam emails and report them to manager.

It means not only that someone is trying to scam you but also that they most likely have hacked into your company systems and could put other elements of the business at risk.

And if you happen to be a small business owner, be aware of and alert your employees to the danger. Perhaps even have a system where more than one person has to approve changes in payment processes.

Employee Phishing

Another sneaky way that hackers target employees is by sending emails that pretend to be from the company HR department or someone with an HR function in a business.

The message tells the victim the firm is changing his/her employment status and they have to click a link for more details.

The message looks genuine -- so who wouldn't be desperate to click?

But the link takes victims to a spoof site that looks like the firm's real site, where they're asked to log on with their company email address and password.

It then provides some innocuous information that puts the employee's mind at rest.

Meanwhile, the scammers use this information to sign on to the victim's genuine company account and change bank details so that their wages are sent to the crooks' account.

More Scam Reports: Avoiding Pet Scams

Action: Be immediately suspicious if you get this email; don't click the link.

Most firms would be unlikely to notify you of changes this way, but you should either contact your HR people by phone or sign in to your account independently and check details from there.

Bogus Investment Newsletters

For our third Snippet this week, we switch to the world of investment, where, as ever, people with money to invest are always on the lookout for news and tips that will lead them to a profit.

A popular source of this type of information is a newsletter.

But beware. According to a U.S. Securities and Exchange Commission (SEC) official, online newsletters that seem to be genuine may be touting dubious stocks and other investment vehicles.

"Fraudulent newsletters will claim to offer independent, unbiased recommendations, but fail to explain conflicts of interest (or biases), including financial incentives they receive that influence their investment recommendations," says SEC education director Lori Schock.

If "newsletters" are being paid to tout particular investments, they should say so. If they don't and they seem to be promoting just one stock, you should be wary.

And don't be misled just because you saw the newsletter promoted on legitimate investment forums.

"What makes it even harder to spot fraudulent newsletters is that many are advertised on legitimate websites -- including the online financial pages of news organizations," says Schock, "(but) this does not make them any less fraudulent."

Flip Flop

Staying with the subject of investment, watch out for a scam based on the popular tactic of home flipping.

More Scam Reports: The Truth About Government Grant Scams

Flipping is when an individual buys and then quickly resells a home for a profit, often after carrying out significant remodeling.

It's fun for some and just profitably appealing to others -- but it can be expensive to get into; you need the cash to buy your first property.

Crooks have come up with the solution: Invite people to invest just a few thousand dollars that supposedly will be pooled with others' money, with the flipping conducted by "experts."

All the investor has to do is hand over the money and sit back and wait for the profits to roll in.

Maybe this really does happen in some cases, but in others it's an out-and-out scam, usually promoted at seminars.

Victims are persuaded by the promise of mouthwatering returns or high-pressure sales techniques to hand over money, which they never see again.

Action: If you can't afford to do the flipping yourself, be very cautious about these pooled-money enterprises.

Carefully and independently check out the promoters and speak to a financial advisor first.

Unless it stacks up 110%, don't do it!

Alert of the Week

If you use the Last Pass password manager and haven't changed your master password in the past few weeks, then do so now.

The company says it was hacked in early June and, although there's no evidence accounts were compromised or that any encrypted data was stolen, they're recommending a master password change.

For more information, here's the Last Pass announcement.

That's all for today -- we'll see you next week.