Rising Trends in Email Scams and Phishing

From large to small, the financial services sector is often the target of email phishing schemes and other malicious attacks, and credit unions are no exception. The FBI reports that Business Email Compromise or Email Account Compromise (BEC/EAC) has seen a surge in those types of attacks, now a “$26 billion scam.” These exorbitant losses have prompted the FBI and law enforcement to become highly versed in the nature of these scams and how they are perpetuated. Still, fraudsters are always using more cunning methods to successfully access sensitive information.

Business Email Compromise is on the rise

Account takeovers are a part of this influx in Business Email Compromise, though some also speculate that these account takeovers include data gathering, which is then used to create ACH files. The Association for Financial Professionals (AFP) survey reports that ACH credit scams using BEC rose from 12 percent in 2017 to 33 percent in 2018. 

BEC is a robust effort on the part of fraudsters, who target those in companies with financial credentials access through a variety of measures. This may include social engineering, or grooming, combined with network intrusions. It’s a patient effort and one that continues to rapidly develop as these efforts continually seek to evade law enforcement. These fraudsters can cultivate the appearance of a relied vendor or another business, and exploit those with access to financials to provide sensitive information.

Fraudsters do their homework

It would seem that most phishing scams are obvious and avoidable, but the ingenuity of hackers and the development of new technologies and tactics indicate that companies need to stay on their toes through protection and cybersecurity education. Those seeking to infiltrate accounts and information will take the time to even look at social media accounts and other marketing to understand the culture of a company.

Email fraudsters have become savvier at making payroll fraud schemes appear to be official direct deposit submission forms, and might include an email with details requesting changes to direct deposit information. When that information is provided, the information points to another account, often a prepaid card. For example, one type of email scam includes a link to a spoof login page. When employees input their credentials to this page, the fraudster can use this information to access other employees’ personal information. 

In other cases, the fraudster might not request a transfer of funds. Rather, they are looking to obtain W-2 forms and Personally Identifiable Information.

Even while fraudsters are developing new methods of getting in, they’re also developing new methods of getting away. Domestic wire transfers have become more common than international ones, as law enforcement is now savvier at detecting those transactions when they are international since there is a slight delay in processing. During that lag in time, law enforcement is able to step in and stop the transfer. 

In 2018, Operation WireWire, involving the efforts of the Department of the Treasury, U.S. Postal Inspection Service, and the Department of Homeland Security, a six-month mission which resulted in dozens of arrests across the globe, and helped to recover $14 million worth in fraudulent wire transfers. 

Steps for prevention

The efforts of fraudsters have a significant impact on the global economy. Learning how to stop these malicious attacks on your business not only helps to ensure your members’ well-being but contributes to a greater purpose.

Educate your employees: 

Give employees clear, actionable instructions for looking out for the following:

  • Mismatched emails or URLs that don’t represent the business or person it claims to be sent from;
  • Any misspellings or unfamiliar URLs should be an immediate red flag;
  • Get versed in the most common leading BEC email keywords used in 2018;

Steps you can take:

  • Enable two-factor authentication or use another channel to verify requests for account changes.
  • Monitor finances and note any irregularities, especially missing deposits. 
  • Update all systems and keep software patches on

Being the victim of BEC can be an enormous financial loss and blow to a company.

In our compatibility with various types of credit union software, we provide an advantage to a wider berth of credit unions. We help you to provide a sense of security to your customers. 

If you’d like to learn how you can stay protected against financial cybercrime, get in touch.

Read more about why credit unions are a common target of email scams.


Why Credit Union Employees and Officers are Scam Targets

Business Email Compromise Scams (BEC) are hitting financial institutions hard, and the threat only seems to be increasing. CEOs, CFOs, and financial employees are at a high risk of being targeted in BEC schemes, regardless of company size.  Whether a small, community credit union or a multi-million dollar financial institution, these targeted schemes are impacting the bottom line for businesses across the globe – and here is what they all have in common: the targeted business must work with foreign suppliers and/or utilize wire transfer payments regularly.

What is a BEC Scam?

Also known as CEO fraud, and more generically phishing, a BEC scam isn’t carried out until the attacker(s) have done their research, ensuring a more favorable outcome. The criminals first choose a business to target and will then do online research via social media channels to locate the exact, accurate names of the CEO and CFO, finally targeting an employee — usually one that works in the finance department, company attorney, long-time company vendor, or client — to carry out the attack against.

Once a target has been selected, the criminals then send fraudulent email correspondence usually impersonating the CEO or CFO of the target company, attempting to fool the victim into initiating a wire transfer.

If successful, the BEC attack will result in gaining access to the target’s business systems and records, including employee credentials, and the possibility of an enormous financial loss for the target company.

How Can these Scams be Effective?

While it may seem like common sense may be all that’s required to avoid BEC and phishing scams, the criminals are quite savvy in determining what to say or do, in order to obtain the desired action from the target. These criminals are educated, intelligent, and have spent countless hours planning these attacks. According to the experts at FraudWatchInternational.com, there are several ways in which the criminals will create a feeling of legitimacy in these efforts, including:

  • Spoofing of legitimate email addresses;
  • Writing in an urgent tone, asking the victim for the funds to be transferred immediately;
  • Writing that “they” (the CEO or CFO) are in a meeting and cannot be disturbed with emails, texts or phone calls;
  • Giving the idea that that the sender of the email is using a mobile device to create and send the email, by including the signature “Sent from my iPad”, instead of the standard corporate email signature. This is one of the most effective methods, as the normal “red flags” (typos, poor grammar, lack of corporate signature), because mobile devices are often “excused” from triggering them.

BEC Scam Facts

Keeping a close watch on cybercrime – particularly BEC scams – the FBI compiled the following statistics, as reported from 2016:

  • BEC scams have occurred in every U.S. state, and in a minimum of 80 countries;
  • More than 17,000 people were victims of BEC scams from From October 2013 to February 2016, with losses exceeding $2 billion USD;
  • There has been a 270 percent increase in exposed losses and identified victims of BEC scams since January 2015.

Minimize Your Risk Through Education

Educate employees about the various ways in which criminals target financial institutions and their workforces will add an extra layer of protection. Be sure to:

  • provide employees with proper, accurate and thorough training about targeted cybercrime, and ways to validate the legitimacy of correspondence.
  • require careful monitoring of email addresses, to help avoid spoofing attempts.
  • stress the importance of questioning anything suspicious. Regardless of the instruction received in email, encourage employees to ensure the validity of the request through contact with the implied sender, or his/her designated representative
  • utilize two-factor or multi-level authentication procedures for every wire transfer, regardless of situation or circumstance.

At IMS, we sincerely care about the protection and privacy of your data, employees, and members. We work with credit unions nationwide, to assist in minimizing risks and maintaining the safety of your data. If you would like to discuss how we can help protect you against financial cybercrime, contact us today or complete the form below!

Contact