Scammers are targeting business owners more aggressively than ever. The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) reports in their most recent statistics total losses due to internet crime rose to $10.3 billion in 2022 – a whopping 49% increase over $6.9 billion in losses in 2021.1
It’s not a matter of if, but when your business will be targeted by a fraudster. As a business owner, you simply cannot afford not to be educated about these scams and ensure your employees are hypervigilant. At Dallas Capital Bank, keeping your information and accounts secure is our top priority. It takes all of us to stay aware of scams and alert to changes in your accounts to prevent your business from being the next victim.
The following are the most common scams impacting businesses of all sizes:
- Spoofing: Spoofing is when someone disguises an email address, sender name, phone number, or website URL—often just by changing one letter, symbol, or number—to convince you that you are interacting with a trusted source. Criminals count on being able to manipulate you into believing that these spoofed communications are real, which can lead you to download malicious software (malware), send money, or disclose personal, financial, or other sensitive information. 2
- Phishing: Phishing schemes often use spoofing techniques to lure you in and get you to take the bait. These scams are designed to trick you into giving information to criminals that they shouldn’t have access to. In a phishing scam, you might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you’ve used before. The email may be convincing enough to get you to take the action requested. But once you click on that link, you’re sent to a spoofed website that might look nearly identical to the real thing—like your bank or credit card site—and asked to enter sensitive information like passwords, credit card numbers, banking PINs, etc. These fake websites are used solely to steal your information.
Phishing has evolved and now has several variations that use similar techniques:
- Vishing scams happen over the phone, voice email, or VoIP (voice over Internet Protocol) calls.
- Smishing scams happen through SMS (text) messages.
- Pharming scams happen when malicious code is installed on your computer to redirect you to fake websites. 2
- Business Email Compromise (BEC): Also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, often an invoice or payment change instructions. These requests could come from spoofed email accounts or websites, spearphishing emails (messages that look like they’re from a trusted sender to trick victims into revealing confidential information), or infiltration via malware.3
- Invoice Fraud and Vendor Impersonation: Fraud can occur when a business receives an unsolicited request, purportedly from a valid contractor or vendor, to update payment information, often a change to ACH or wire payment instructions. 4 Many times these are real invoices that have been modified, changing the bank details to misdirect payments to fraudulent accounts.5 Although any business entity could be the target of this type of social engineering attack, public sector entities seem to be specifically targeted because their contracting information is oftentimes a matter of public record. 4
- Check Theft and Check Washing: Criminals steal paper checks sent through the mail, both from USPS and personal mailboxes. Once they have a check you wrote, they use chemicals to “wash” the check to change the amount or make themselves the payee. They then deposit your check and steal money from your account.6
- Ransomware: Ransomware is a type of malware that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. Ransomware attacks can cause costly disruptions to operations and the loss of critical information and data. You can unknowingly download ransomware onto a computer by opening an email attachment, clicking an ad, following a link, or even visiting a website that's embedded with malware. Once the code is loaded on a computer, it will lock access to the computer itself or data and files stored there. More menacing versions can encrypt files and folders on local drives, attached drives, and even networked computers. Most of the time, you don’t know your computer has been infected. You usually discover it when you can no longer access your data, or you see computer messages letting you know about the attack and demanding ransom payments. 7
- Account Takeover: Identity theft in which a criminal steals a business’ or individual’s valid online banking credentials and uses them to initiate funds transfers out of the account. Criminals may access these credentials by mimicking a financial institution’s website, using malware and viruses to compromise a system to gain account access, or using social engineering to incent customers into revealing security credentials or other sensitive data. Fraudsters may initiate contact by email, phone, fax or mailed letter to receive sensitive information.8
To avoid being a victim of these scams, follow these “Dos and Don’ts” to protect your accounts and sensitive information:
- DON’T share. By openly sharing things on social media like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions. Do not provide nonpublic business information on social media. Never give out personal financial information in an email or over the phone unless you have initiated the contact.
- DON’T click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to ask if the request is legitimate.
- DO be on guard. Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust. Be careful what you download. Never open an email attachment from someone you don't know and be wary of email attachments forwarded to you. Remember that companies generally don’t contact you to ask for your username or password.
- DO call to confirm. Verbally authenticate any payment changes via the telephone. Call a known phone number – from your records or even the cell phone of an account owner – don’t trust the phone number listed on a suspicious email or invoice requesting payment changes. If you must use email, do not use the “reply” option when authenticating emails for payment requests. Instead, use the “forward” option and type in the correct email address or select from a known address book.
- DO educate and train employees to recognize, question, and independently authenticate changes in payment instructions, requests for secrecy, pressure to take action quickly, and any change of payment method (e.g., ACH to wire).
- DO use the tools provided by Dallas Capital Bank. Review your accounts online daily to monitor for fraudulent transactions. Sign up for text or email alerts for certain types of transactions. Initiate payments using dual controls. Do not ignore calls from a financial institution questioning the legitimacy of a payment. Utilize ACH automatic payments and other electronic and/or mobile payments such as Zelle™.
- DO keep operating systems, software, and applications current and up to date. Make sure anti-virus and anti-malware solutions are set to automatically update and run regular scans. Back up data regularly and double-check that those backups were completed. Secure your backups. Make sure they are not connected to the computers and networks they are backing up. Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
If you or your company fall victim to any of these scams, it’s important to act quickly. If you have any questions about your accounts or notice any inaccuracies, contact Client Services immediately.
Additionally, you can report these crimes to your local FBI field office, the FBI’s Internet Crime Complaint Center (IC3), the United States Postal Inspection Service, or your local police department as applicable.