Business email compromise (BEC), a multi-billion dollar subset of phishing threats, might need a new name because the scams are no longer just about email. The FBI warns that scammers have ramped up video meetings as a tool to trick unsuspecting victims into handing over their money.
Virtual meeting tools like Microsoft Teams and Zoom were the big winners of video during the pandemic. And where users go, unfortunately the scammers follow.
BEC usually relies on fake, spoofed or compromised email domains to relay messages to targets with the aim of fooling them into making a wire transfer. The scams are technically simple but are often peppered with carefully constructed backstory conducted via email that fools even well-trained employees. It is the top category of cybercrime measured by funds lost, which totalled $1.8 billion in 2020 based on cases reported to the FBI. BEC dwarfs reported ransomware losses.
But BEC is not just about email. The FBI’s Internet Crime Center (IC3) says it has seen a surge in BEC scams using video meetings as the forum to communicate. This happened between 2019 and 2021, corresponding to the world’s shift to video meetings as we all adjusted to the COVID-19 pandemic and remote working.
Video might not seem the most obvious medium for this type of scam because meetings require a physical presence and not just some text in email. But apparently video works when used in combination with email, which attackers are using to insert themselves in a subsequent trusted video conversation.
“Criminals began using virtual meeting platforms to conduct more BEC related scams due to the rise in remote work because of the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually,” the FBI said.
The BEC scam with video does still involve email as part of reconnaissance. The attacker compromises employee emails and “inserts themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations,” the FBI notes.
The scammer can also break into an employer’s email, such as that of the CEO, and send spoofed emails to employees “instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.”
Scammers may also ask employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake” audio, and claim their video/audio is not properly working. “They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email,” the FBI said.
BEC scams defy a clean definition because they can involve outsiders or insiders and often require just one legitimate officer to make an authorized transfer under false scenarios concocted by the scammer, such as an urgent email from a financial controller to a subordinate on a Friday afternoon.
The FBI does offer several tips that employers should take note of. It’s a tough one for employers when employees can use Teams, Zoom, Google Meet, Slack or even Discord to have a video meeting.
Employers and employees should, for example, “confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting,” says the FBI.
The FBI also recommends implementing two-factor or multi-factor authentication (MFA) to verify requests for changes in account information. MFA might slow processes down but it does work and should be used for high-value accounts. Microsoft says only a fifth of organizations enable MFA for enterprise email accounts in 2021.
The FBI’s advice contains somewhat obvious advice about protecting financial details that may be forgotten during the normal course of business with trusted partners, including checking the URLs in emails, waiting out for hyperlinks, and sharing login credentials.
The FBI’s full list of dos and don’ts include:
- Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or personal information of any sort via email.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
- Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.