Foreign criminals impersonate company/organization executives through email to con employees into wire transfers
DES MOINES – Iowa businesses and non-profit organizations should be aware of a sophisticated scam using impersonated emails that attempt to dupe business office employees into making office-related wire transfer payments.
The Federal Bureau of Investigation refers to the scam as the “Business Email Compromise,” or BEC scam.
Several businesses and non-profit organizations throughout the state have reported BEC scam attempts to the Consumer Protection Division. Over the past year, several targeted people have reported scam attempts, including employees of companies, a religious organization, a hospital, several non-profit organizations, and multiple county political party offices.
Scam Begins with Impersonated Internal Email Authorizing Wire Transfer
Typically, an office employee who is authorized to make payments receives an email that appears to be a legitimate payment authorization from an executive of that organization, which could include a chief executive, president, owner, or business manager. The impersonated email requests the employee to pay via wire transfer, often for office supplies or nondescript supplies. Payment requests range from hundreds to tens of thousands of dollars.
“We’ve had several close calls over the past several months where a targeted employee stopped just short of wiring a significant amount of money because he or she thought it was a supervisor who asked them to make the payment,” Attorney General Tom Miller said. “These emails look like they’re legitimate internal company or organizational requests, and that’s why this scam can be effective.”
FBI: Criminals Study Targets Online
According to an FBI alert issued last year, criminals behind the scams “monitor and study their selected victims…(and) are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment.” Criminals may search company/organization websites, other websites and social media to gain information about a target. These criminals generally operate from foreign countries.
A recipient may receive a fraudulent email from a compromised email account, an address that is nearly identical to a sender’s email address, or a spoofed account that the criminal manipulates to appear as if another sender (the company’s CEO, for example) wrote the email. A reply to a spoofed or forged email generally goes to a different address.
“We urge companies and organizations with business offices or bookkeepers to discuss this scam with employees who are authorized to make payments,” Miller said. “This scam is a good reason for businesses and non-profits to review internal payment controls and security procedures,” Miller added.
Employees should be wary of any request for an office wire transfer—even if it appears to originate from a familiar source—and should be encouraged to verify a wire transfer request in person, by phone using a known number for that person who requested it, or through other authentication safeguards. Fraudulent requests often urge quick action, and request payment only through a wire transfer. Emails may contain grammatical errors, misspellings, or may be oddly worded.
If Victimized by the BEC Scam
A business or organization that is victimized by this scam should contact its financial institution as soon as possible and then report it to a local FBI office. Victims can also file an online complaint at the FBI’s Internet Crime Complaint Center at www.ic3.gov.