CyberOps

ARIZONA—CyberOps Phoenix is warning the public about an increase in business email compromise (BEC) – also known as email account compromise (EAC) fraud. According to the CyberOps’ Internet Crime Complaint Center (IC3) this scam has been the number one reported scam in Arizona for money lost over the last five years.

This was also the number one reported scam in money loss nationally. In 2021, the IC3 received 19,954 BEC/EAC complaints with adjusted losses at nearly $2.4 billion nationally. Arizona accounted for more than $22 million in losses with only 388 victims.

The second highest reported scam both nationally and in Arizona was investment fraud. In 2021, IC3 received 20,561 investment complaints with adjusted losses at nearly $1.5 billion. Arizona reported 349 victims with losses of more than $20 million.

BEC is a scam targeting businesses (not individuals) working with foreign suppliers and/or businesses regularly performing wire transfer payments. email Account Compromise (EAC) is a similar scam which targets individuals. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.

The scheme has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts. Historically, this scam involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.

Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.

The following tips may help protect you and/or your company from BEC scams:

• Look at the email header of the sender. Keep an eye out for email addresses that look similar to, but not the same as the ones used by your work supervisors or peers (example_company.com vs. example-company.com).


• Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.


• Be wary of requests to buy multiple gift cards, even if the request seems ordinary.


• Be especially wary if the requestor is pressuring you to act quickly.


• Watch out for grammatical errors or odd phrasing.


• Be wary if the sender asks you to send the gift card number and PIN back to him.


• Don’t rely on email alone. Contact the person or the company directly to verify any payment changes.


• Be cognizant of what you are posting on social media. Attackers will look for things on social media to lend credibility to what they are saying and the person they are pretending to be.