Payment switch crooks targeting individuals as well as businesses: Internet Scambusters #709
It's easy to believe what seems to be an official request from your boss or contractor to make a payment switch to a different bank account.
But it's probably a scam -- one that's costing businesses billions of dollars. But crooks are also now targeting individuals, as we report in this week's issue.
We also have an alert about the reliability of products being sold to counteract attacks by mosquitos carrying the Zika virus.
Now, here we go...
Alarming Rise in Payment Switch Scams
One of the most alarming rises in scams so far this year has been the dramatic increase in incidents of payment switch scams, sometimes called mandate fraud or business email compromise (BEC).
This is when employees receive an email that seems to be from their boss, instructing them to send payment on an invoice to a new supplier account.
The email is a fake. It comes from a scammer who is directing legitimate payments that belong to someone else into his own bank account -- usually out of reach, overseas.
Or, posing as the boss, the crooks may even tell accounting staff to wire a cash payment to an untraceable recipient. It's easy for scammers to get the names of higher-ups in most firms because they're publicly available on websites, press releases and social media.
In some cases, the scammers make direct contact with company finance departments, often by phone, posing as a supplier, claiming they changed their bank and now need invoices settled to a new account.
Police reports suggest the crooks are also targeting charities, religious organizations and other non-profits where internal security and verification procedures may not be as rigorous as in the commercial world.
Even worse, scammers now seem to be contacting private individuals supposedly on behalf of a contractor who's done recent work for them, asking for payment to be made into the crooks' own bank account.
In one reported British case, a woman who had a wood burning stove installed in her home lost several thousand pounds after responding to a fake email pretending to be from the contractor.
Police say this kind of crime happens when crooks use malware to hack into contractors' computer systems or even the computers of the victims themselves.
In other instances, victims receive a letter relating to a magazine subscription they took out, telling them to change the bank details on their recurring payment.
According to a recent statement issued by the Attorney General's office in Arkansas, invoice fraud has taken more than $2 billion worldwide during the past three years.
The crime has certainly been reported from all corners of the world, most recently in Tasmania. And it's rife in the U.S. where average losses run at around $55,000 per scam -- but they have been as high as $800,000 according to the Internet Crime Complaint Center (IC3).
The FBI says more than 7,000 U.S. companies were hit for $750 million during 2014 and 2015.
So, that $2 billion global figure is likely under-reported because individuals and small firms may not report the crime or may not even realize they've been scammed.
Fraud specialists and law enforcement agencies urge companies to introduce a verification system that requires payment-handling staff to:
- Check with CEOs or other senior staff for invoice sums above a certain level. Do this directly (i.e. face-to-face or by phone) because, in sophisticated versions of the crime, hackers have been able to divert email responses from employees.
- Verify with the supplier by using contact details on file, not those that come with the payment switch message. Again, use the phone.
- Exercise vigilance and be alert to "urgent" or "confidential" requests to make payments to a new address.
- Use your intuition. If you feel something isn't right, check it out. Better safe than sorry.
Firms should also automatically question and verify any request to wire payments.
For individuals, when you get a contractor's bill that asks for payment to be sent (either as a check or electronically) to anywhere other than their address or their *KNOWN* bank account, phone the contractor and ask them to confirm the arrangement.
The same goes for any request you get to change the recipient account for any recurring payments you make, such as a magazine or newspaper subscription.
Be aware too that malware or computer hacking could reveal details of your subscriptions or contractor projects and again could be used as a lever to get you to redirect payment.
So make sure your computer security software is up to date.
Payment switch scams are bad enough when they target firms, but when the victims are individuals it can be even more painful because it's the sort of fraud your bank or insurer may not be prepared to cover.
Alert of the Week
With the current and ongoing scare about the Zika virus, watch out for spurious claims about products that can supposedly protect you against this mosquito-borne infection.
The Federal Trade Commission (FTC) recently accused one firm of making deceptive claims about its products "without competent and reliable evidence to back them up."
To learn more about the virus and how to protect yourself, check out this guidance from the U.S. Centers for Disease Control and Prevention.
That's all for today -- we'll see you next week.