The COVID-19 pandemic is causing disruptions all around, and payments are not left unaffected. Since banks are operating in a heavily degraded mode, many are looking to get their payments through electronic payment solutions or alternative bank accounts. This has created the ideal opportunity for scammers who are sending emails to potential victims. In the email, they ask for the change of account number and for the payments to be made to the new one, belonging to the scammer. Of course, we have seen this happening many times before, but BEC (Business Email Compromise) crooks are going rampant right now.
FBI presents two recent cases that serve as examples of how BEC scammers operate amid the pandemic. In the first case, a scammer created an email address that was very similar to the actual one of the CEO of a company. It was then used to ask a financial institution to send the (already scheduled) payment of $1 million sooner than planned, and to a different account, allegedly due to the urgency caused by the Coronavirus quarantines. In the second example, a company was emailed by someone claiming to be their client, requesting all payments to be sent to a different bank account, due to Coronavirus-induced audits in the one that was used previously.
As the FBI mentions, any message that asks for changes in payments, and/or is engulfed in urgency, and/or requests advanced payments for services should be treated as a scamming attempt. Remember, asking for these neuralgic changes in payment procedures would be something to arrange over a phone call or a teleconference session, and not via email. That said, if you do receive an email that makes weird claims and unusual requests, try to verify them by calling the sender. Also, check the sender's email address and compare it character by character with the one that was previously used.
Chris Hazelton, Director of Security Solutions at Lookout, has provided us with the following comment on the current risk of BEC scams, focusing on the dangers that arise from the use of smartphones:
"While many organizations have implemented cybersecurity training with an emphasis on email, most efforts focus on desktop email clients where users can easily check for phishing indicators. Mobile email is where training falls short. Most of the indicators of phishing this training focuses on are obscured in mobile email apps - not displaying the sender's email address and limited ability to preview hyperlinks in an email. This is compounded by heavy reliance on mobile email by organizational leaders operating all hours of the day. These leaders are directing company efforts via mobile email or mobile messaging apps - and are often expecting immediate attention."