Business Email Compromise (BEC) Scams with Steve Weisman
Have you ever been the victim of an email scam? Business Email Compromise is a type of scam where scammers focus on businesses that conduct wire transfers and work with suppliers abroad. There are many things businesses and consumers can be on the lookout for to avoid falling into these email traps. Learn how to protect your information and money from these cyber attacks with Steve’s practical advice.
Steve Weisman is a nationally recognized expert in scams, identity theft and cybersecurity as well as a lawyer, college professor and prolific author. In his informative speeches, articles, and books Steve makes difficult subjects such as cybersecurity, scams and identity theft not only understandable but enjoyable with the humor he brings to these complex issues.
Steve Weisman is a lawyer, admitted to practice before the United States Supreme Court. He is a college professor at Bentley University where he teaches “White Collar Crime.” He was awarded the Gregory H. Adamian Award, Bentley University’s highest award for teaching excellence.
He is the author of more than ten books including The Truth About Avoiding Scams named by Smart Money Magazine as one of the ten best money books of the year. He has been awarded a Certificate of Merit for excellence in legal journalism by the American Bar Association. He has been a columnist for USA Today, Bankrate.com, the American Institute of Economic Research and the Saturday Evening Post. He has appeared throughout the media as an expert on scams, identity theft and cybersecurity including appearances on ABC, NBC, CNN, CBS CNBC, MSNBC, NECN NewsMax and Fox. He also has been featured on the Dr. Phil Show. He has been quoted throughout the print media including the New York Times, the Washington Post, the Wall Street Journal, Barrons, Money Magazine and Forbes. He is a sought after public speaker with numerous appearances throughout the country.
- [00:38] – March 3rd is the 138th anniversary of Charles Ponzi known for the Ponzi Scheme.
- [03:28] – Ponzi schemes have been very effective over the years.
- [04:14] – Steve’s motto is “Trust me, you can’t trust anyone.”
- [05:23] – Scammers send an email that lures you to click on a link and download malware. They get into your computers and emails and they watch and learn about your business. They often wait until the CEO is out of the country and send an email requesting money.
- [06:42] – The solution for companies is to have some kind of dual-factor authentication.
- [06:54] – Alert your employees to not click on links or download attachments unless they are absolutely sure and confirmed.
- [8:39] – Be sure to check and confirm the email address before clicking on any links. Be sure to double-check spellings. Scam email addresses are often different by one added letter.
- [10:38] – Many of these business email compromises come from other countries where English is not a primary language and you may notice grammatical errors.
- [11:09] – Scam artists are really good at knowing what to appeal to get us to do what they want.
- [11:31] – Scam artists often use fear and greed especially in investments.
- [13:10] – Pump and Dump is when the victim is lured into buying the stock of a legitimate company. They lure so many people into buying it that the price goes up and then they can dump their stock.
- [14:12] – We are not as careful as we should be when it comes to our investments.
- [14:35] – There are many tactics scam artists are using to make BEC scams look real.
- [15:28] – Companies can best protect themselves by having multiple eyes on this. There is never an emergency or urgency to wire money.
- [15:40] – Scammers always want you to act quickly, so there will be all kinds of reasons for doing so.
- [15:55] – Always be skeptical when the CEO or CFO that is requesting this is doing so from outside of the country. Always double check to verify.
- [17:11] – Awareness is the most important way to combat being a victim and having the best practices in place.
- [18:42] – On the phone, you never ever give a credit card or personal information to someone you haven’t called. If it sounds legit you call back to a number that you know is accurate.
- [20:04] – Two of the biggest phone scams are from the IRS and Social Security. The IRS does not call, text, or email you.
- [20:41] – The likelihood of getting your money back from a BEC scam is very unlikely.
- [22:13] – Many companies will have insurance to protect them against cyber threats, but a BEC scam doesn’t qualify.
- [23:57] – The Federal Trade Commission has tried to get companies to be proactive about money transfers.
- [25:14] – The elderly and millennials are often picked on for scams involving money transfers.
- [26:03] – The scammers often try to stay within certain grounds that won’t be totally alarming.
- [26:48] – We need to take care of our parents and grandparents and make sure they are not being taken advantage of.
- [27:51] Check out the scam of the day on Steve’s website.
On this Episode of the Easy Prey podcast, I talk with Steve Weisman about BEC scams. In addition to being a lawyer, Steve teaches about white-collar crime at Bentley University and is one of the country’s leading experts in scams and identity theft. Steve is also the man behind scamicide.com where he tells you things aren’t as bad as you think, they’re far worse. I’m your host Chris Parker and this is the Easy Pro Podcast.
Thank you for joining us, Steve. I’m really excited to have you on the podcast as we get to talk about BEC scams and more. But first and foremost, today is March 3rd while we’re recording this and that is the 138th anniversary of Charles’ Ponzi, known for the Ponzi scheme. You have a story you want to tell us about that.
What’s interesting is, Ponzi, the name has just become so identified with the scam that he gave his name to. The essence of it still works today. Bernie Madoff has used it, many others have used it. The thing is, it’s marvelous in its simplicity because it starts out with early investors getting paid and they get paid really, really well. Ponzi was paying his victims 50% profits in a month.
It worked. What happens is he was leveraging the differences in money values, money fluctuations between the United States and Britain having to do with a certain type of stamp that was used in international business transactions. It’s enough that it sounds legit, but no one really knows what’s going on. It works by paying off the early investors with money from their later investors; eventually, it collapses. In Ponzi’s case, what brought him down was a newspaper investigation in which they calculated out, they had an idea of how many customers he had and in order to have that many customers, he had to have more stamps than existed in the world.
It’s always the same thing. I always marvel at what I hear. Ponzi was arrested, the wonderful arrogance of the 70s criminals. “I am innocent and I can’t wait for my day in court.” It didn’t work out so well. But Ponzi, of course, didn’t originate this scheme. The scheme actually goes back to about 1870 in, again, Ponzi was out of Boston and also out of Boston was a warrant.
Women don’t get credit for what they do, in this case, a woman named Sarah Howe. Sarah Howe formed the Women’s Only Bank. It was very interesting and a good example of not just what should have been called a Howe Fraud, but affinity fraud. Women trusted her because she was a woman, “She would not take advantage of us.” That’s what she said. “Men will take advantage of you, men will not do right by you. I will. You give your money to me, you put it in my bank, you get a tremendous return and I’ll help manage it for you.” She’d even limit what they could take out.
It was, of course, a total Ponzi scheme, there was no bank, she was just taking the money and paying off early investors with the money from later investors. She got caught, she went to prison, came out, did the same thing again, went back to prison. This kind of scam definitely has proven to be effective over the years.
Here again, with Bernie Madoff, he also coupled to a great extent his affinity fraud. Madoff is Jewish, he preyed upon a lot of Jewish charities and Jewish individuals. You can find it in any religious group and there are Ponzi schemes with marines, military.
I knew a Ponzi scammer in Boston, a guy named Brad Blythe. He was amazing. He represented a lot of Mason chapters. Talking with some of his victims, the biggest thing was, “How could a fellow mason do that to me?” It comes down to my motto. My motto is, “Trust me. You can’t trust anyone.”
That’s a really good motto to have. Thank you for sharing that story. Also, in the news recently is Barbara Corcoran from Shark Tank, fell victim or her organization fell victim to what is referred to as a BEC scam. Lost approximately $400,000. Can you talk to us a little bit about what a BEC scam is?
Yeah. Fascinating one. This is something that the FBI and law enforcement have really been putting an emphasis on. Probably companies worldwide have lost multi, multi-billion dollars to this scam in just the last year and it keeps going. The last has gone up by about $500 million last year. It starts like many scams; the business email compromised with. Someone hacks into a particular company.
Generally, every scam starts with a phishing or a more specifically tailored spear-phishing email. It’s an email that lures you to click on a link and download malware. No matter how good your security software is, it’s never going to be as good as the latest, what we call zero-day defects vulnerabilities for which there aren’t any known defenses.
They get into your company, they get into your computers, and they watch, they see who the people are, how they write, what their addresses are, who your customers are, and then, what they will generally do with this is they will wait often when the CEO or someone in charge is out of the country and an email will come from them, “I need you to wire,” it’s always wiring money, “wire money to this company with which we do business or this company just changed just changed their bank account.” The money is generally wired, the money is generally lost.
A new variation of this, this was really incredible, a German company lost money with a phone scam. This was one of the CEO supposedly called and instructed the money to be sent, but using all kinds of cloning software, it sounded like the voice of the CEO. You can do that these days.
The solution for companies is you got to have some kind of dual-factor authentication. Certainly, you want to protect, again, alert your employees not to click on links or download attachments unless they’re absolutely sure and confirmed. But when you get any kind of wiring, you’ve got to have more than one person on there to confirm. Particularly if it is going to a new and a different address. It’s falling through the cracks. Companies with one of Barbara Corcoran’s things she was saying, “This was not something unusual in the type of company that it was supposedly being sent to. It seems like one of the companies we would work with.” You’ve got to be skeptical.
In her case, there wasn’t actually a compromise of their email platform, though, was there?
No. That was kind of interesting. They are all sophisticated at that level, but this one was just a tad less. It’s one that gets by as the email that came in and looked like the email address of one of her employees but it had a letter off. Sometimes we’ll get these spear-phishing emails and they look really good. Maybe it appears to come from a company with which we do business, maybe it’s Netflix, maybe it’s a bank, and it’s really, really easy to counterfeit those.
I teach at Bentley University. I teach White-collar Crime. Before I taught at Bentley, I taught in the State Prison System in Massachusetts. Some of the older, older conmen used to decry the fact that back when they were counterfeiting, it took skill. Now a 14-year-old kid can do anything on his computer.
They’d send you an email and they convince you to do whatever. But if you look at the address from which it’s sent many times, it’s an address that has absolutely nothing to do with a particular company. Sometimes it’s because the bad guys are rooting these scam emails through what they call Botnet stickers, a network of zombie computers that have been hacked into. But other times, they will pony up an address that will look legitimate. It may look like netflix.com, but it may have an extra l in there. If you’re looking quickly at it, you’re not really going to notice. That is what had happened with Barbara Corcoran.
There’s a situation that I am personally aware of where the accountant got an email that looked like it came from the CEO of the company, it was his name, it had his regular internal signature line on it, with the name, address, phone number, all the nice font styling and all of that stuff, and it was the whole very similar story. “Hey, I’m on the phone with a new vendor. I’m going to be stuck on this conference call for a couple of hours, but I need you to wire money to them right now.”They put in that urgency, they put in the emotion, they quell some of the normal fears. The accountant started to process it and the thing that saved is that he actually came out of his office, was going to the bathroom or something like that and she said, “Oh hey, do you want to send it from this account or that account? You didn’t tell me which account you wanted me to send the money from. He’s like, “I didn’t tell you to send any money.”
So, rushed into her office and looked at it. She was in the accounting software on the bank’s website and the gist was like, “Oh, actually, I don’t know which account to send it from.” That was what saved them, it wasn’t a best practice, it wasn’t a second-factor authentication, it was just happenstance that she saw him at her corner of the eye and was very, very lucky to not have that happen.
It’s a huge problem. Sometimes with many of these kinds of business email compromises, you’ll find them coming from other countries where (perhaps) English is not a primary language. Occasionally, you’ll see the less sophisticated criminal and there’ll be grammatical errors. But the ones that I’ve seen like you just described […].
Scam artists are the only criminals we call artists. They really are artists and they have a knowledge of psychology that Freud would have envied. They’re really good at knowing what to appeal to get to in us, to get us to do what they want.
What are some of the things that they appeal to, to get what they want from us?
In terms of the business email compromise or in scams in general?
Let’s just talk at scams in general and then we can drill down to business email compromises.
It’s interesting because they say the same things that move the market, fear, and greed. Very often it is a matter of greed and investment. No one should ever invest in anything that they don’t truly understand. It was a bit of chutzpah gal, but Bernie Madoff in an interview actually blamed his victims at one point. He said, “They should have known better. Any intelligent person who looked into what I said I did and how I said I did it would know that it didn’t work and it was impossible.” That’s the thing, we get lazy, and we want this quick, easy investment. Right now there are a lot of Bitcoin and cryptocurrency scams where people invest because they think it is the hot thing.
Talking about how greed comes in, one of the most wonderfully sophisticated scams and who said the East and West can’t work together. This was Ukrainian hackers working with American stock brokers. What happened was, Ukrainian hackers hacked into JP Morgan. I remember when this happened, I was being interviewed and I really didn’t know what was going on. They got millions of email addresses and names of really well-heeled customers. But that was it, no other personal information. I’m thinking, what do they want with that? What they wanted was people that probably would be prey to investments. What they did was, it was a new version of what’s called pump and dump.
Pump and dump is when the victim is lured into buying the stock of a legitimate company, a penny stock, a low cap stock, the bad guys have bought it early, but the lure so many people into buying it, the price goes up, the bad guys sell out, the dump their stock meanwhile, when the truth comes out, the stock price drops down and the investors lose.
In this case, the names of all of those investors were given to the stockbrokers who sent out the pump letter to various people. They fell for it. They were victimized, they were caught. During the trial in Manhattan, there was some evidence that was fascinating with one of the Ukrainian hackers asking another, “Why would an American buy a stock merely because of an email from a stranger?” which was a great question. The other hacker said, “Americans buy stock like we drink vodka.” Apparently, we’re not as careful as we should be when it comes to our investments. But we also scare people. It’s a matter of you have to act at this point or there’s been a problem with your account, we need to provide information. They’ll appeal to whatever works.
When it comes to BEC scams and those trying to get you people to wire money, what are some of the tactics that they’re using to make it look real legitimate aside from a good email address?
First of all, they do their research. I got to have a begrudging admiration of these people. They will see what companies the company that they are attacking does business with. They’ll send a letter, an email that says, “We are changing their invoice.” They are changing the bank to which they want things deposited. Or they will find other kinds of connections and things that are totally within the mode of business and business plan of the particular company so there’s no reason for them to be suspicious.
As far as things that companies could do to prevent these scams from being effective, what could companies do?
The biggest thing is to have multiple eyes on there. First of all, you don’t jump. There’s no emergency to wire money. That’s another thing, scammers always want you to act quickly. There’ll be all kinds of reasons for doing so, there really aren’t those kinds of reasons necessarily in the real world. You always have to be particularly skeptical because this is done a lot. When the CEO or the CFO who is requesting this is doing this from outside the country or not there where you can check back with them.
If a company finds one the order is coming from someone who is outside of the country, you’re always wary. You also want to check back, it should be some form of confirmation to make sure it is the correct person that is making the order and where they’re sending it. You double-check everything if it isn’t exactly the same as what you’ve always done.
Got you. Do you also recommend the frontline staff, the operators not disclosing information about, “Oy, who’s the head accountant? I need to get a hold of them.” Or not even worth trying to do?
No, I think it really is. What some scammers will do is they go on LinkedIn, they’ll be looking for people who may be working at targeted companies. For that reason, some companies, even paranoids have enemies and some companies will limit social media exposure and information that their employees can give out. They don’t want to make things easier for the scammers, but you’re right on that.
It’s really a lot about just awareness and having some good practices being in place and if something sounds urgent, take a breath. The more urgency there is, the more effort there needs to be in thinking. Not, “Is this really urgent?” but, “Are they trying to overwhelm my sense of practice with the urgency?”
Yeah. Urgency is always the thing. The phone is another place where a lot of scams come from. I knew someone who worked in computer security who got a call about a problem with his credit card. You can get a call and the scammers can spoof your caller ID. It makes it look like it may be coming from Citibank. It said there’s a problem, they did ask for the debit card number. If it’s your bank they have your debit card number, but then what they said to the security guy is, “We need to act immediately, we need to confirm your number. Here are the last four digits of your social security number so you know we are legit,” and this person fell for it.
Particularly with the urgency and then realized, a lot of places out there particularly because of data breaches have the last four digits. They have your full social security number. He immediately called his bank afterward. By that time his bank account had already been emptied. The lesson here is, on the phone, you never ever know when you get a phone call, regardless of what it says on there, who is actually calling you. You never give a credit card, you never give personal information, anything over the phone to someone you haven’t called.
If it sounds legit, you called back at a number that you know is accurate. If it’s with your credit card, flip your credit card over, get the 800 number, call that. But make sure you call it correctly because the bad guys are sometimes so good, they will buy the number that may be a digit off and you may end up calling the bad guys thinking you’re being really good.
I’ve had that happen to me as well. Not being scammed, but I’ve got a call saying, “Hey, we’re calling from your bank about a fraudulent transaction.” And my response was, “That’s great. I’m going to hang up and call you back.” “Oh no, no. You don’t need to do that.” “The fact that you’re arguing with me that I don’t need to do that proves that you’re a scammer.” I still called the bank and said, “Hey, I just got a phone call, claiming to be from you guys with a fraudulent transaction. Was there a fraudulent transaction?” “Nope.” “Okay, thank you! Have a nice day!” Try not to do that. I’ve gotten fake phone calls from my electric company as well.
Sure, those are huge to the biggest ones from the IRS and social security. The thing is, how do I know it’s the IRS? It’s really easy.
They don’t call.
They don’t call you, they don’t email you, they don’t text you. If it’s any of those communications from the IRS or social security, you know it’s a scam.
That’s really, really good. It’s just always assumed that something’s a scam. Coming back to the BEC scams, what’s the likelihood of actually getting your money back if you wired it offshore?
Pretty damn low. Because that’s the thing with wiring. Another thing with so many scams, “We’re from the IRS. You’ve got to pay us this money right away. Go out and get an iTunes gift card.” The fact that the IRS has to actually say on its website, we don’t take gift cards for payments. The big thing is, wiring money, once it’s wired, it’s gone. The only chance you have is that sophisticated criminals for money laundering purposes will bounce money from account to account to account. If somehow, acting immediately, you’re able to intercept before this goes through to another account, you’ve got a shot. I got to say, I’m really not aware of many (if any) that have been able to get that money back.
The great example was Barbara Corcoran. Either she or someone on her team or her bank acted quickly enough that they were actually able to get the funds frozen temporarily or at least long enough for them to be able to prove to the bank that there was actually fraud involved.
Another interesting aspect that doesn’t get talked about very much at all when we’re talking about business email compromise (which is like I said, a multibillion-dollar scam), many companies will have insurance to protect them from cyber threats. This would not qualify because in many instances, “They stole the money from you?” “No. Actually I was tricked and I sent that.” “That doesn’t apply to your insurance.”
There are actually a number of cases going on now in the court where people challenged the fact that insurance companies have not covered these. But the bottom line is, you’re very well may be totally out. The place to find that helping hand is at the end of your own arms and be very, very careful.
Yeah. A while back I was sending money to a relative overseas. The bank that I normally do business with—I don’t disclose who I’d normally do business with—don’t do the type of transfer that I was trying to do, I’ll leave it at that. I had to open up an account at another bank and move somebody in there and very quickly went online to wire the money to a relative overseas.
I don’t know if it was either that day or the following morning, I got a call from the bank saying, “Hey, we noticed that you just opened an account and you’re doing a wire transfer. Who are you sending the money to? How do you know this person? Are you sure it’s really this person? How long have you known them? Are you really, really sure that you’re wanting to do this because once you send out the money, once it turns out to be fraud, you’re not going to get it back.” I was really impressed with the bank and the woman, she asked great questions. I’m like, “This is a bank really being proactive about fund transfers.”
I want to know who that bank they have up there because that is absolutely terrific and what should be done. It brings out a couple of things. The Federal Trade Commission has tried to get companies to do that. You’ll notice, if you go to Walmart, they may have a sign on the wall that says it, but the employees don’t really ask about it. Western Union, obviously you’re sending money […] the biggest.
Western Union actually was punished and found responsible because they were a willing participant in some of these scams. It wasn’t that they were getting any kind of kickbacks, they were getting their fees, they weren’t asking, they should have been asking. They have changed as a result of the ugly Federal Trade Commissions lawsuit and a substantial fine.
Once again, it’s wonderful when the FTC settles simply, and I explain this to my students. There’s no admission of liability. We didn’t do anything wrong and we promise never to do it again and here’s the money because we didn’t do anything wrong. Wiring money, banks should be better with this.
This is something often we see with the elderly who are picked on for scams quite, quite more than any other group, although millennials are right up there, which is interesting. But at their banks, not enough banks have been taking the steps, which now there are relatively newer laws for them to inquire, but they should be questioning this. It should be that second set of eyes on every transaction.
And I suppose with banks and […] corporate, if you’re a multimillion-dollar business and you do a $10,000 wire transfer to someone you haven’t don’t before, your bank is not even going to flinch at that if that’s within your normal pattern. It’s once you start getting out of your normal pattern, that they might do something.
That’s it. Some of the scammers know to keep the money. They can make a lot of money and keep it within rounds that aren’t going to be so totally alarming. The interesting thing, though, where you mentioned seniors and scams. It works with a lot of seniors and scams and they target it with particular scams like the Jamaican lottery scam primarily aimed at seniors.
But seniors actually have a physiological excuse. There were some studies done at the University of Iowa and Cornell that talk about a part of our brain that I can’t pronounce that deals with skepticism and it becomes less viable as we age. There actually is a physiological basis for that senior being more likely to be a victim which is also one reason why we need to take care of our parents and grandparents and to make sure that they’re not being taken advantage of. That is the reason.
Millennials are too used to everything being computerized and digitized and they’re too trusting, they do everything without taking quite enough precautions. They think they’re bombproof and it comes to bite them a lot of the time.
That’s all really good advice. Take care of the young ones, take care of the older ones. We have the responsibility to take care of those around us.
We’re all in it together.
Steve, I really appreciate you coming on today and talking about BEC scams and so many other things, the anniversary of Charles Ponzi. If people want to learn more about you and what you do, how can they get a hold of you?
The best place is to go to scamicide.com. Every day, there is a unique scam of the day. We’re always alerting people what is the latest thing to watch out for. When I started this about 10 years ago, I wondered if I was going to have a scam of the day for every day. So far, we’ve done more than 6000 and we haven’t had to repeat anything yet. You can find information about different scams, you could find out if you’ve been a victim, what you can do, actually, we also have links to the Federal Trade Commission when there are refunds and various programs. It’s a good place to check out every day
Great! That sounds like an awesome resource. Thank you so much for coming on today. I super appreciate your time.
Oh, it’s my pleasure.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
Most of us view the internet as a useful and benign tool. But in many ways, it’s…[Read More]
Here's an important piece of advice: You need to learn what Find My and iCloud.com can do...[Read More]