FBI Warns of Increase in COVID-19 Related Business Email Compromise Scams

The Federal Bureau of Investigation has issued a warning following a rise in Business Email Compromise (BEC) attacks that are taking advantage of uncertainty surrounding the COVID-19 pandemic.

BEC is the term given to an attempt to fool individuals responsible for performing legitimate transfers of funds into sending money to a bank account controlled by the attacker. This is achieved by impersonating an individual within a company that the victim usually conducts business with. A typical attack scenario will see an email sent to an individual in the finance department requesting a change to bank account information for an upcoming payment.

Several attacks have recently been reported to the FBI’s Internet Crime Complaint Center (IC3) that have a COVID-19 theme and municipalities are being targeted that are purchasing personal protective equipment (PPE) and other essential supplies to use in the fight against COVID-19.

In the alert, the FBI offered two recent examples of COVID-19 BEC scams. The first involved a scammer impersonating the CEO of a company and requesting that a scheduled $1 million payment be brought forward due to the Coronavirus outbreak and quarantine processes and precautions. In the emails to employees at an unnamed financial institution, the scammer provided different bank account details for the payment. The email address used by the scammer was identical to the email address of the CEO apart from a single letter.

The second example saw a scammer pose as a client in China who requested all invoices be paid to a different bank account as the current bank was undergoing Coronavirus audits. Several wire transfers were sent to the new account before the scam was detected, resulting in significant financial losses.

The COVID-19 pandemic has given BEC scammers a plausible reason for requesting urgent payments, bank account changes, and alterations to standard payment practices. Individuals responsible for payroll and bank transfers should be on high alert and should treat any COVID-19 related updates to bank account information or changes to standard payment processes as suspicious.

There are several red flags that individuals should look out for to avoid becoming a victim of a BEC scam. These include unexplained urgency in email requests, last minute changes to bank account information or wire transfer instructions, changes to established payment practices and communications channels, requests to only communicate via email or chat platforms, and requests for advance payments. Scammers also impersonate employees and request changes to direct deposit information.

In all cases, any request for a payment change should be verified by phone using contact information on file. Never use contact information provided in the email. Email addresses should be checked to make sure they are the same as previously used email accounts and domains and URLs should be carefully checked for any misspellings of domain names, transposed letters, and foreign characters.

If you believe you may have been a victim of a BEC scam you should contact your financial institution immediately to recall any transferred funds and your employer should report the incident to the FBI’s Internet Crime Complaint Center at https://bec.ic3.gov/

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.