Email isn’t always trustworthy.
Messages from bosses or co-workers that look suspicious and request a financial transaction might be a scam, and a recent report from the Better Business Bureau shows that more people are falling victim to business email compromise scams.
Almost $3.1 billion has been bilked from businesses and organizations since 2016 and scammers attempted to swindle an additional $23 billion during that time, according to the report.
Last year, over 20,000 complaints were filed in the United States, resulting in a loss of $1.3 billion – roughly double the prior year, according to the FBI’s Internet Crime Complaint Center. Springfield businesses are not immune. So far this year, $2.1 million has been bilked from businesses in the city to BEC scammers around the world, according to data reported to the FBI. The year prior, local victims reported losing over $727,500.
The FBI refers to them as BEC scams. Dixon Land, public affairs specialist at the FBI Kansas City office, said they come in several forms. It could be a CEO directing a financial officer to wire money, a boss asking an employee for a favor to buy gift cards on their behalf, vendors requesting payment be made to another account or executives requesting copies of employee tax information, according to the report. They’re often sent from a familiar email address and with that person’s email signature.
“Scammers are using emails or specific messaging systems within businesses to redirect company finances so that the employee who is handling the finances is tricked into wiring transfers to a bank account that they think is either of a co-worker, boss or third-party vendor,” Land said. “A lot of the time, it’s spoof emails or emails that look like a part of your community.”
A business of any size and in any industry can be affected by the fraud, Land said. In 2018, 80% of businesses received a BEC scam. This year, the number of scams jumped 50% in the first three months, according to the report.
The trend is growing in Springfield, too. FBI data show six reported BEC victims in the city in 2016, then up to 11 in 2017 and 2018. So far this year, there have been 19 victims.
Stephanie Garland, the BBB’s regional director in Springfield, said via email the bureau isn’t able to clearly track the number of scams in the area.
“These scams are likely to be significantly under-reported because businesses tell BBB that they are embarrassed to have lost money and don’t want to appear vulnerable,” she said.
Springfield Business Journal received a BEC scam a few months ago that an employee fell victim to, said Publisher Jennifer Jackson. The email sent to all employees appeared to be from Jackson and requested staff members to help her by purchasing $100 gift cards for staff rewards. One employee purchased a gift card, and SBJ reimbursed that employee, she said.
“Until that happened, it didn’t occur to me to have that conversation,” Jackson said. “I became so used to seeing junk email come through that it didn’t occur to me that anyone would fall for it.”
She suggests business owners create a clear policy of how money is transferred in the workplace, which SBJ has since done.
“I’m seeing them much more frequently than I have before,” Jackson said of the fraudulent emails. “We’ve upped our email security, but it only catches spam, and it’s not going to filter a legitimate email.”
What to do
Land said, if scammed, the first step is to report it to local law enforcement.
“The FBI relies on educational awareness and reporting,” Land said. “We want to know if someone is a victim of an email compromise and hopefully identify the scammers and bring them to justice.”
A four-monthlong coordinated effort between several federal law enforcement agencies called Operation reWired resulted in 281 arrests in the United States and overseas, according to information released last month by the FBI. The arrests – which resulted in the seizure of nearly $3.7 million – were made in Nigeria, Ghana, Turkey, France, Italy, Kenya, Japan, Malaysia and the United Kingdom.
Garland said business owners also can file incidents on the BBB’s Scam Tracker website. The bureau then reports all results to law enforcement, she said.
Across all its regions, she said the BBB is on track to handle over 19,300 complaints by the end of the year.
There are precautionary steps that business owners and employees can take, too. The BBB report suggested most fraud cases could have been stopped if the employee called the individual supposedly requesting money.
“One of the things we encourage employees and businesses to do is – using either the telephone or in person – to contact the person who is making that request to confirm that,” Land said. “Creating that double-checking system will help.”
Thomas Douglas, CEO of Springfield-based JMark Business Solutions Inc., said businesses can block emails sent from specific geographic regions through an email software like Microsoft’s Office 365 or Google’s G Suite. He recommended this method if a company doesn’t usually work with international businesses.
Business owners also should keep computers updated with antivirus software, he said. However, most of these emails still make it through the firewall, so business owners should educate employees on the scam.
“Let them know they are going to get phishing emails and someone will trick them into it,” Douglas said. “No technology solution is going to be perfect, so people have to help close the gap.”
Jeff Eiserman, business risk adviser with Ollis/Akers/Arney, said cyber insurance policies are beginning to include coverage for BEC scam losses.
“All of this is so nuanced, and there’s so many new types of losses, that the insurance industry is trying to figure out a way to adapt and a way to respond,” Eiserman said, noting that some companies and policies offer coverage for such losses and some do not. “The most important thing is the agent you’re working with and if they understand your risk.”
The BBB also recommends requiring multifactor authentication, cyber insurance and internet security training, as well as verifying changes in employee and vendor information. According to the report, the bureau also suggests limiting the number of times that a user can enter incorrect login information.
“Every business today gets attacked. We try to provide a high degree of awareness of these kinds of threats to our clients,” Douglas said. “It’s a never-ending fight to keep users protected.”
Join us on the third Tuesday of each month for a live interview with one of 12 local professionals handpicked by our editorial team.