Twice in the past week, at two different, unrelated Darien businesses, someone got into a boss’ email account and sent phony directives to subordinates to send money.
A Darien real estate business lost about $24,000 in one of the scams; a local travel agency lost about $10,000, police said. The employees were directed to wire money to certain locations.
The same scam has been tried before, elsewhere, but this is the first time a police spokesman, Sgt. Jeremiah Marron (also a Darien police detective), could recall that it had taken place in Darien.
It isn’t known how the thief or thieves were able to use the email accounts. Police are continuing to investigate the incident.
How to Avoid it at Your Business
This type of scam is so common that the FBI published a description of it back in January, and included these suggestions for businesses to avoid becoming victimized:
The IC3 [the FBI Internet Crime Complaint Center] suggests the following measures to help protect you and your business from becoming victims of the BEC [“Business Email Compromise”] scam:
- Avoid Free Web-Based E-mail: Establish a company web site domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and Financial security procedures and 2-step verification processes. For example –
-
- Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
- Digital Signatures: Both entities on either side of transactions should use digital signatures. However, this will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
- Delete Spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
- Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
FILING AN IC3 COMPLAINT
If you believe your businesses is the recipient of a compromised e-mail or is a victim of the BEC scam (regardless of dollar amount), you should file with the IC3 at www.IC3.gov. Please be as descriptive as possible, identify your complaint as “Business Email Compromise” or “BEC” and try to include the following information:
- Header information from e-mail messages
- Identifiers for the perpetrators such as names, e-mail addresses, websites, bank account information (especially where transfers were requested to be sent), and beneficiary names
- Details on how, why, and when you believe you were defrauded
- Actual and attempted loss amounts
- Other relevant information you believe is necessary to support your complaint
Complainants are also encouraged to keep all original documentation, e-mails, faxes, and logs of all telecommunications. You will not be able to add or upload attachments with your IC3 complaint; however, please retain all relevant information, in the event you are contacted by law enforcement.
Pingback: Darien Police Offer Businesses Tips on Avoiding Wire Fraud | Darienite