RICHMOND, Va. (WWBT) – Cybercriminals are getting so crafty that even large universities like Virginia Commonwealth University can get tricked into giving up thousands of dollars in a wire fraud scheme.
Nigerian cyber criminals pulled off a Business Email Compromise (BEC) by finding a vendor with which a business or company regularly deals. In the case of VCU, it was a construction company that the university had an ongoing contract with.
In this type of wire fraud, scammers must create an email address that looks convincing enough to be the company they are posing to leverage existing email chains to give an extra level of trust. From there, they just have to play the long game. The Nigerians in this particular scam used this method to bleed multiple institutions out of millions.
VCU lost nearly $500,000, but it fared much better than the other victims in this case. According to the FBI, a North Carolina university wired almost $2 million to scammers in the same scheme. In Texas, a Houston-based college, a construction company and government entities lost a combined total of over $3 million.
Although it may seem unlikely that a university can fall victim to BECs, cyber expert Alex Nette says there is so much cash flowing out of there that some accountants may not think twice about wiring the money. Scammers know this, and that’s why they take advantage of it.
“As long as you’re using the internet, you’re at risk. Whether a company, a university or just your family at home,” said Nette. “What we focus on as a company is how to keep your information safe online for both businesses and consumers alike.”
Nette, CEO of digital security company Hive Systems in Richmond, says no one person or company is too big or too small to fall for these schemes as long as there are vulnerabilities to your information.
“The greatest thing about the internet is that it connects all of us, but the worst thing about the internet is that it connects all of us,” Nette said. “The biggest thing that works against us right now is the speed at which we do business.”
Nette says scammers are lurking behind a screen here or elsewhere, just waiting for you to let your guard down. But he says we can slow these criminals down simply by picking up the phone to verify you’re dealing with a real company.
“Call that company. Say, ‘I just got an email from you guys, and I would like to confirm that there’s a new place I should wire money…,” Nette said. “Taking all of that information and stopping that cycle of abuse by just picking up the phone can only make this become less of a problem for all of us.”
In VCU’s case, a spokesperson with the university said through insurance, the university was able to recover a significant amount of the money and that additional safeguards were put in place to protect against this type of fraud. But Nette says a simple phone call could have made the difference in ensuring the university lost nothing.
BEC scammers can also try to impersonate an individual by hacking into their information and spoofing the victim to their contacts, leveraging the trust in the victim’s email to trick loved ones or coworkers.
Nette says you should also protect yourself from this method by ensuring not to use the same password for several accounts and setting up a two-step authentication to access your accounts.
“No one is safe, and that’s the biggest idea behind cyber security,” Nette said.
While the money lost to VCU and the other victims of the $5 million wire fraud scheme may be a drop in the bucket, the consequences of falling victim to this type of crime can be devastating for individuals and small businesses. In most cases, because large sums of money are transferred frequently to multiple accounts nationally and overseas, there is a minimal chance a victim will see any trace of that money again.
The advent of cryptocurrency made stolen funds even less likely to be tracked down and recovered unless the money is insured.
Nette says six out of every 10 small businesses that suffer BECs go out of business because they don’t have the insurance policies or cash flows to handle the financial loss.
“While there are all kinds of companies with tools and ticks to reduce that risk, that risk is still present,” Nette said. “This means we all need to take steps to protect ourselves.”
How to Protect Yourself:
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in an account number or payment procedures with the person making the request.
- Be especially wary if the requestor is pressuring you to act quickly.
For more resources on how to keep yourself or your businesses click HERE.
Copyright 2022 WWBT. All rights reserved.
Send it to 12 here.
Want NBC12’s top stories in your inbox each morning? Subscribe here.