When a thief hacked into the email account of the president of a Darien real estate company, the first theft occurred when a phony email directed an employee to wire $24,000 to someone in Anderson, S.C.
Darienite.com reported on the hack-and-theft scheme previously, when Darien police first released some details about it, very shortly after the matter had been reported to police. But those details weren’t the half of it.
Police
A cap
This week, Darien police said there were a second theft from the same business of $24,900 wired to someone in Glendale, AZ. Just like the other theft, this one involved a phony email directing an employee to send the money. Both thefts occurred Nov. 19.
A third, much larger theft of $52,900 was attempted in just the same way, but the employee became suspicious and rather than wire the money to Port St. Lucie, FL, the company president of the company, Kelly Associates of 780 Post Road, was contacted and confirmed that the emails were fraudulent.
Police didn’t say what exactly was in the emails, but many retired people live in each of the three locations where the messages directed that the money be sent.
A travel agency in town lost $10,000 in a similar email fraud scheme that occurred at about the same time.
Although the email apparently was sent from the Kelly Associates president’s email account, the message was doctored in a way that if the recipient hit “reply” the reply email would go to a different email address, police said.
How to Avoid it at Your Business
Last week, Darienite.com provided this information about avoiding business email fraud schemes of this kind. We’ve republished the same advice below:
This type of scam is so common that the FBI published a description of it back in January, and included these suggestions for businesses to avoid becoming victimized:
The IC3 [the FBI Internet Crime Complaint Center] suggests the following measures to help protect you and your business from becoming victims of the BEC [“Business Email Compromise”] scam:
- Avoid Free Web-Based E-mail: Establish a company web site domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and Financial security procedures and 2-step verification processes. For example –
-
- Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
- Digital Signatures: Both entities on either side of transactions should use digital signatures. However, this will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
- Delete Spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
- Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
FILING AN IC3 COMPLAINT
If you believe your businesses is the recipient of a compromised e-mail or is a victim of the BEC scam (regardless of dollar amount), you should file with the IC3 at www.IC3.gov. Please be as descriptive as possible, identify your complaint as “Business Email Compromise” or “BEC” and try to include the following information:
- Header information from e-mail messages
- Identifiers for the perpetrators such as names, e-mail addresses, websites, bank account information (especially where transfers were requested to be sent), and beneficiary names
- Details on how, why, and when you believe you were defrauded
- Actual and attempted loss amounts
- Other relevant information you believe is necessary to support your complaint
Complainants are also encouraged to keep all original documentation, e-mails, faxes, and logs of all telecommunications. You will not be able to add or upload attachments with your IC3 complaint; however, please retain all relevant information, in the event you are contacted by law enforcement.