Photo © Kheng Guan Toh - Fotolia
If you pay any attention to any news stream, you'll see a near-constant flow of articles warning you about the latest scam to prey on unwary individual consumers: advance-fee job scams, Facebook like-farming scams, jury-duty ornotice-to-appear scams, IRS scams, phishing scams, and more.
With all this focus on scams targeting individual people, it's sometimes easy to overlook the scams that target businesses. But that would be a mistake. Indeed, from a scammer's perspective, a business (or non-profit) of a certain size can be easier to fool than an ordinary billpayer – mainly because businesses typically have a lot more bills to pay.
In January, for example, we warned you about a then-new variant of the “invoice scam,” a classic form of fraud wherein the scammer sends out fake bills or invoices in hope that the victim will pay those fraudulent bills in addition to real ones. At the time, the U.S. Postal Service estimated that American businesses lose millions if not billions of dollars to such scams every year – though the exact amount is probably impossible to determine, because the scam's very nature means many of its victims have no idea they're being victimized.
At any rate, that new variant of the “fake invoice scam” might be called the “real invoice scam” — although the FBI's Internet Crime Complaint Center (or IC3) dubbed it the “Business E-Mail Compromise.”
Here's how it works: let's say you own (or have a job handling payments for) a candy-making company. If so, there are many suppliers to whom your business makes regular payments: candy-makers need to buy massive quantities of sugar, corn syrup, chocolate liquor, and/or other raw ingredients used to make candies.
If I'm a modern invoice scammer, chances are I needn't even bother with an invoice. All I have to do is send an official-looking email to your @candymaker.com business address, while pretending to be one of your suppliers: “Hello, this is SugarCorp writing to inform you that we've recently switched banks. Please update our information in your payment database: instead of sending SugarCorp payments to account Y at bank Z, send future payments to account A at bank B.” Then I relax, have a drink, and watch the money roll in – at least until the real SugarCorp contacts your Accounts Payable department to ask why they haven't been paid.
And if my scamming self has actual hacking skills, rather than the mere ability to write a convincing-looking fake email, then so much the better: instead of waiting for one of your employees to fall for my scambait and divert payments to me, I can simply hack into the right account and make those arrangements on my own.
In January, the IC3 issued a report saying that from Oct. 1, 2013 through Dec. 1, 2014, it received complaints about this scam from every U.S. state and 45 other countries, totaling 1,198 American victims who lost a combined $179,800,000, and 928 non-Americans who lost a combination of non-U.S. currencies worth $35,220,000 – worldwide losses across 46 nations totaling $215 million in 14 months.
And either the pace of such scams is quickening, or vastly more victims have come forward, since that January report. Yesterday, when the Wall Street Journal ran an article about such email business fraud, it said “Companies across the globe lost more than $1 billion from October 2013 through June 2015 as a result of such schemes, according to the Federal Bureau of Investigation. The estimates include complaints from businesses in 64 countries, though most come from U.S. firms.”
Compare that to what the FBI said in its January IC3 report: from October 2013 through last December, worldwide losses were less than a quarter-billion dollars – and only seven months later that total had more than quadrupled to over a billion dollars.
One recent victim profiled in the Journal lost $100,000 to such a scam in April, only instead of a candymaker losing money to a bogus sugar producer, it was a scrap-metal producer scammed by a fake titanium vendor. David Megdal, vice-president of a Phoenix-based scrap processing company called Mega Metals, said that the company had wired $100,000 to a German vendor (or so it thought) as payment for 40,000 pounds of titanium shavings. But sometime after Mega Metals made that April wire transfer, the real titanium vendor let the company know it still hadn't received payment.
Turns out that an unknown “third party” had managed to compromise the email account of a broker who works for Mega Metals. An inspection of the malware on the broker's computer shows that the thieves managed to steal the passwords to the broker's email, then used that access to make alterations to legitimate payment arrangements.
Bad as this loss was, it could've been much worse – $100K is a relatively small transaction for Mega Metals, which pays up to $5 million for some (legitimate) shipments. In order to avoid future repeats of this scam, the company now verifies email wire transfer instructions with a phone call to the company receiving payment – and does not call any number provided in the email itself.
Mega Metals has basically adopted an anti-phishing rule we've repeated here often: “Don't call me; I'll call you.”
In other words, be suspicious of any unsolicited email (or text, or phone call) you get reporting problems or changes with your accounts – even if that email does seem to be from a legitimate business, financial or government institution. If you're worried about a problem with your Netflix account, bank account, or anything else, it's okay if you contact Netflix or your bank, but be wary when Netflix or your bank allegedly contacts you.
If you're a business owner, it's fine for you to contact your suppliers about issues regarding payment arrangements – but if someone claiming to represent your supplier contacts you to request a change, you must verify this on your own rather than taking that unsolicited message at its word. You didn't call them; they called you, and in today's world that's a warning sign of a scam.