Business email compromise (BEC), a multi-billion dollar subset of phishing threats, might need a new name because the scams are no longer just about email. The FBI warns that scammers have ramped up video meetings as a tool to trick unsuspecting victims into handing over their money.
BEC usually relies on fake, spoofed or compromised email domains to relay messages to targets with the aim of fooling them into making a wire transfer. The scams are technically simple but are often peppered with a carefully constructed backstory conducted via email that fools even well-trained employees.
But BEC is not just about email. The FBI's Internet Crime Center (IC3) says it has seen a surge in BEC scams using video meetings as the forum to communicate. This happened between 2019 and 2021, corresponding to the world's shift to video meetings as we all adjusted to the COVID-19 pandemic and remote working.
Video might not seem the most obvious medium for this type of scam because meetings require a physical presence and not just some text in email. But apparently video works when used in combination with email, which attackers are using to insert themselves in a subsequent trusted video conversation.
"Criminals began using virtual meeting platforms to conduct more BEC-related scams due to the rise in remote work because of the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually," the FBI said.
The BEC scam with video does still involve email as part of reconnaissance. The attacker compromises employee emails and "inserts themselves in workplace meetings via virtual meeting platforms to collect information on a business's day-to-day operations," the FBI notes.
The scammer can also break into an employer's email, such as that of the CEO, and send spoofed emails to employees "instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer."
Scammers may also ask employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or "deep fake" audio, and claim their video/audio is not properly working. "They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email," the FBI said.
BEC scams defy a clean definition because they can involve outsiders or insiders and often require just one legitimate officer to make an authorized transfer under false scenarios concocted by the scammer, such as an urgent email from a financial controller to a subordinate on a Friday afternoon.
The FBI does offer several tips that employers should take note of. It's a tough one for employers when employees can use Teams, Zoom, Google Meet, Slack or even Discord to have a video meeting.
Employers and employees should, for example, "confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting," says the FBI.
The FBI also recommends implementing two-factor or multi-factor authentication (MFA) to verify requests for changes in account information. MFA might slow processes down but it does work and should be used for high-value accounts. Microsoft says only a fifth of organizations enable MFA for enterprise email accounts in 2021.
The FBI's advice contains somewhat obvious advice about protecting financial details that may be forgotten during the normal course of business with trusted partners, including checking the URLs in emails, waiting out for hyperlinks, and sharing login credentials.
The FBI's full list of dos and don'ts include:
Welcome!
If you are reading this guide, you are about to embark on a process that will help your organization harness the potential of technology to deliver your mission and best serve your community. Proactively planning for technology is about more than replacing old computers (although that might be part of your plan!). This process will help your organization fundamentally shift the way you approach technology investments toward greater mission achievement and community impact. It will identify opportunities for technology to help you control costs, reduce risk, raise funds, and empower staff.
Strategic technology planning – much like any strategic planning process – is a comprehensive look at the current state and the desired future state for your organization. If you just need some new computers, this may not be the right process. But if you are ready to treat technology as a mission-critical investment that can accelerate your organization’s impact, you are in the right place! Your nonprofit has much to gain from appropriately integrating technology into your operations, communications, fundraising, and service delivery. This guide offers step-by-step support to help you lead your organization through technology planning, resulting in a roadmap to smart technology use.
Acknowledgements
This guide has been produced through the generous support of the Rasmuson Foundation, a private foundation that works as a catalyst to promote a better life for Alaskans. Learn more at www.rasmuson.org. It was written and edited by Lindsay Bealko of Toolkit Consulting, who helps mission-minded organizations design creative communications, engaging education, and powerful programs. Learn more at www.toolkitconsulting.com.
Special thanks to Orion Matthews and Jeremiah Dunham of DesignPT for their substantial contributions to and reviews of this guide to make it as useful as possible to nonprofit organizations who are ready to harness the strategic potential of technology. Learn more and request help with your strategic technology plan at www.designpt.com.
Please help us improve our website by providing your feedback