The Bank of New Cambria will never ask you to send personal or financial information by, in response to, or via a link in an Email. If you should receive such an email and still have a question about it, please contact our Customer Service Department at (660) 226-5211 or (660) 773-5211. It is always best practice not to open any email or email attachments from an untrusted source.
Affordable Care Act Phishing Campaign
The Bank of New Cambria, through US-CERT, is aware of a phishing campaign purporting to come from a U.S. Federal Government Agency. The phishing emails reference the Affordable Care Act in the subject and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code.
We encourages users to take the following measures to protect themselves:
- Do not follow links or download attachments in unsolicited email messages.
- Maintain up-to-date antivirus software.
- Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip for additional information on social engineering attacks.
Business E-mail Compromise
The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam. The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed. Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.
The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC complaint data from victims in every U.S. state and 45 countries. From 10/01/20131 to 12/01/2014, the following statistics are reported:
- Total U.S. victims: 1198
- Total U.S. dollar loss: $179,755,367.08
- Total non-U.S. victims: 928
- Total non-U.S. dollar loss: $35,217,136.22
- Combined victims: 2126
- Combined dollar loss: $214,972,503.30
The BEC scam is linked to other forms of fraud, including but not limited to: romance, lottery, employment, and home/vacation rental scams. The victims of these scams are usually U.S. based and may be recruited as unwitting “money mules.”2 The mules receive the fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds using wire transfer services or another bank account, usually outside the U.S. Upon direction, mules may sometimes open business accounts for fake corporations both of which may be incorporated in the true name of the mule.
The “Attorney Check Scam” is another type of fraud that is linked to the BEC scam in the following manner:
- Attorneys are targeted to represent supposed (BEC) litigants in a payment dispute.
- Retainers in the form of checks are sent by (BEC) litigants to the attorney.
- The scam is revealed when either the checks are found to be fraudulent or the (BEC) litigants are contacted.
- While the payment disputes are real, the (BEC) litigants neither contacted nor retained that attorney for legal assistance.
The victims of the BEC scam range from small to large businesses. These businesses may purchase or supply a variety of goods, such as textiles, furniture, food, and pharmaceuticals. This scam impacts both ends of the supply chain, as both supplies and money can be lost and business relations may be damaged.
It is still largely unknown how victims are selected; however, the subjects monitor and study their selected victims prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc). Some victims reported being a victim of various Scareware or Ransomware cyber intrusions, immediately preceding a BEC scam request.
VERSIONS OF THE BEC SCAMBased on IC3 complaints and other complaint data received since 2009, there are three main versions of this scam:
A business, which often has a long standing relationship with a supplier, is asked to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request. This particular version has also been referred to as “The Bogus Invoice Scheme,” “The Supplier Swindle,” and “Invoice Modification Scheme.”
The e-mail accounts of high-level business executives (CFO, CTO, etc) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is normally responsible for processing these requests. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.” This particular version has also been referred to as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”
An employee of a business has his/her personal e-mail hacked. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s personal e-mail to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.
CHARACTERISTICS OF BEC COMPLAINTS
The IC3 has noted the following characteristics of BEC complaints:
- Businesses and personnel using open source e-mail are most targeted.
- Individuals responsible for handling wire transfers within a specific business are targeted.
- Spoofed e-mails very closely mimic a legitimate e-mail request.
- Hacked e-mails often occur with a personal e-mail account.
- Fraudulent e-mail requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
- The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests.
- The amount of the fraudulent wire transfer request is business specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.
- Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.
- Victims report that IP addresses frequently trace back to free domain registrars.
SUGGESTIONS FOR PROTECTION
The IC3 suggests the following measures to help protect you and your business from becoming victims of the BEC scam:
- Avoid Free Web-Based E-mail: Establish a company web site domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and Financial security procedures and 2-step verification processes. For example -
- Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
- Digital Signatures: Both entities on either side of transactions should use digital signatures. However, this will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
- Delete Spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
- Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
University Employee Payroll Scam
University employees are receiving fraudulent e-mails indicating a change in their human resource status. The e-mail contains a link directing the employee to login to their human resources website to identify this change. The website provided appears very similar to the legitimate site in an effort to steal the employee’s credentials. Once the employee enters his/her login information, the scammer takes that information and signs into the employee’s official human resources account to change the employee’s direct deposit information. This redirects the employee’s paycheck to the bank account of another individual involved in the scam.
Consequences of this Scam:
- The employee’s paycheck can be stolen.
- The money may not be returned in full to the employee.
- The scammers can take the employee’s log-in credentials and attempt to log into other accounts that belong to the employee.
- Look for poor use of the English language in e-mails such as incorrect grammar, capitalization, and tenses. Many of the scammers who send these messages are not native English speakers.
- Roll your cursor over the links received via e-mail and look for inconsistencies. If it is not the website the e-mail claims to be directing you to then the link is to a fraudulent site.
- Never provide credentials of any sort via e-mail. This includes after clicking on links sent via e-mail. Always go to an official website rather than from a link sent to you via e-mail.
- Contact your personnel department if you receive suspicious e-mail.
If you have been a victim of this scam, you may file a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov. Please reference I-011315b-PSA in your complaint.