Email scammers target businesses for paychecks
They try to get people to deposit funds from paychecks, accounts.
Danielle Deramo’s small business could have been wiped clean in a growing email scam that costs businesses an average of $301 million each month.
Deramo’s partner Stephanie Falzerno opened an email asking her to pay an invoice for the Xenia business.
The email appeared to come from Deramo.
Instead, it was a scammer who had both of their names, Stephanie’s email address and a fraudulent request that if followed could have resulted in their marketing firm, Just Say It, depositing money directly to a fraudster.
Instead of replying to the email, Falzerno recognized it was sent from an iPad, which Deramo didn’t use, and reported the scam that has targeted the local small business several more times.
“That would have been devastating for our company because we’re a small company,” Deramo said. “We carry a small balance in our checking account, so if it would have gone through, it could have wiped us out.”
The number of scams against U.S. companies has doubled in the past three years. In 2016, the U.S. Treasury received about 500 reports per month and businesses lost about $110 million each month to the growing business email compromise scams.
By 2018, the Financial Crimes Enforcement Network was receiving 1,100 reports a month and businesses lost an average $301 million each month, according to a July report.
Miamisburg-based Secure Cyber Defense has seen increased activity in business email compromise scams in recent months, including some that aim to steal employees’ paychecks.
The scammers have tried to steal the paychecks of some Ohio employees by sending emails that appear to be from company leadership and employees to change the direct deposit account, said Shawn Waldman, CEO and founder of Miamisburg-based Secure Cyber Defense.
On Sept. 23, a Columbus-area employee reported to the BBB scam tracker that $2,100 was lost when a scammer requested to change the direct deposit account number. A similar scam happened at a Dayton business early last month, but the company didn’t follow through with the payment, according to the tracker.
“Unfortunately, you’re not going to know until your paycheck doesn’t show up that day,” Waldman said. “Most of this is just being vigilant with email and listening to your gut and not clicking on things that don’t feel right.”
Scammers are also becoming more sophisticated, not only sending emails that appear to be from a boss, but actually hacking into accounts of high-level executives through phishing scams.
“With the birth or the continued success mainly of things like Office 365, we’ve seen a huge increase in email compromise, specifically the business email compromise,” Waldman said. “Companies are moving to that platform and they’re not securing it properly.”
Once an email is compromised, scammers can monitor all the emails for sometimes months, evaluating communication, lingo and often bank account information. Sometimes the hackers can get into an entire network of employee emails.
Once the perfect scam opportunity pops up, the fraudster cuts off the actual email owner, redirects all the mail to a personal account and starts using the email to scam employees, customers and other executives.
“(The emails) come supposedly from your CEO, from your vendors and suppliers; they come from your company’s executive or Realtors, title companies or lawyers, or maybe it’s a senior employee. So it’s people in authority so to speak,” said Sheri Sword, spokeswoman for the Miami Valley Better Business Bureau. “So sometimes when you get that request you don’t question it. You go ahead and do what you’re being asked to do.”
Some of the biggest scams are through real estate transactions, where hackers will learn the name of a buyer, the closing cost of a property and the Realtor. Once scammers get all the information they need, they use emails identical to company branding to convince a home buyer to wire the often hundreds of thousands of dollars to a fraudulent bank account.
“It’s a great impact on our economy because that’s money lining scammers’ pockets instead of the businesses pockets,” Sword said. Many of the scammers come from Iran, Nigeria and other countries, Sword and Waldman both said.
Wire transfer scam results in an average $35,000 lost. Sometimes scammers will ask for gift cards instead, which average losses between $1,000 and $2,000, Sword said.
Waldman’s company has seen businesses lose millions of dollars, he said. Secure Cyber Defense helped a Cincinnati company recover $900,000 of $1.3 million that had been wired to a scammer’s offshore bank account after an email compromise scam, Waldman said.
“If they don’t call federal law enforcement within 72 hours, they probably won’t get their money back,” Waldman said. “There’s a time clock that starts on off-shore wire transfers. If you can get a hold of the Secret Service within 72 hours, there’s a high probability that they can call that money back.”