14 DAY TRIAL // The average user does not rely on email to keep in touch with friends, but this method is the main avenue of communication for businesses; and crooks know this all too well.
Spotting a run-of-the-mill email scam should not be too difficult for an English speaker, and email services rely on different filters to spot spam or dangerous messages and prevent them from reaching a user’s inbox.
However, some cybercriminal rings have found ways to bypass the security measures and to contact potential victims, who are oftentimes selected based on a required profile.
Work-from-home scam
The FBI issued an alert last week about the “work-from-home” email scam, aimed at college students in order to guarantee that a higher number of potential victims would reply.
The message is also devised to meet the needs of this particular category of individuals, offering attractive remuneration in exchange for little effort. However, the work requires the victim to move some money through their own bank account.
Basically, the victim is tricked either into using their account or setting up a new one under their name, they receive some funds (which are obtained through illicit means) and have to wire transfer some of it to a different bank account controlled by the cybercriminal.
When the initial fraud is discovered, the trail points to the victim, who may also suffer consequences from law enforcement and the bank.
This way, the victim is basically turned into a money mule without even knowing it. The fraudsters get their share of the loot and they can continue their nefarious business since the individual who made the transfer to them knows nothing about the operation.
Keeping safe from this type of fraud is quite simple if the one basic rule is followed: never accept money to be passed through a personal bank account, regardless of how high the remuneration promised is.
Poor English is a clear sign that the writer is not a native speaker; as such, grammar errors or incorrect tenses from someone pretending to be from an English-speaking country should ring some alarm bells.
Business email compromise scam
Fraudsters targeting businesses run a different type of game. They aim at big prizes that could put hundreds of thousands of dollars in their pockets.
Cybercriminals involved in this are well organized and do their homework on the target before hitting it. Sometimes, they compromise the email account of a top executive in a company and use it to ask whoever is responsible (treasurer, accounting officer) to send a wire transfer to a bank account they control.
In a simpler approach observed by law enforcement, crooks register a domain that is similar to the one used by the victim company; the rest of the scam remains the same.
More elaborate schemes consist in the criminals fooling the victim into delivering goods worth a large sum of money to a specific location or even to a different country. The crooks make it clear to the victim that the merchandise needs to be sent urgently and provide them with fake financial documentation to attest the payment.
Alternatively, a company receives a message from a supplier to wire funds for any invoice payment to a different account, which is actually controlled by the crooks. In this scheme, the fraudsters pick parties that have been in a business relationship for a long time and the communication may arrive via email, fax or even telephone.
Email scams targeting businesses are obviously not as frequent as those aiming at average users, but each hit is also much more profitable.
In a recent alert, the Internet Crime Complaint Center (IC3) said that in 14 months the losses recorded through this type of fraud were of almost $215 / €191 million, most of the money ending up in accounts opened at Asian banks.
Identifying this sort of scam is not too easy, since fraudsters spend a lot of time gathering information about the target in order to devise the appropriate method of attack.
However, paying attention to the sender’s email address, as well as seeking confirmation for a wire transfer that is not part of the usual pattern (pressure to complete the transaction, requests from personal email accounts), should help prevent the fraud attempt.
On the same note, the IC3 advises setting up a second authentication factor that should be used for confirmation when unusual requests are received.