Before the crack of dawn, Rhonda Nole, owner of the Dryer Vent Wizard/Greater North Bay franchise, has a habit of checking her business bank account before undertaking the day’s activities. One Wednesday morning earlier this year, Nole logged in to online banking only to discover a pending payroll transaction for $25,000.
“Wednesday is not a payroll day,” she explains, “so I immediately sent a message to my bookkeepers, because they would have set this up. I said ‘Houston, we have a problem.’ I asked them why they did this. They said I told them to. I said, ‘No, I did not.’”
Nole was the victim of a hacked email account, initiated (she believes) when she clicked on an email she received a day or two before the incident. She’s also part of an ever-increasing trend that traps even the best and brightest—Nole happens to also be a computer expert and a savvy end user—and sucks them into the rising tide of internet fraud, which, according to the Federal Bureau of Investigation (FBI) is growing exponentially. The latest FBI report from its Internet Crime Compliance Center (IC3) shows Internet fraud was up 7% in 2021 over 2020, with potential losses exceeding $6.9 billion. And things are only looking worse for 2022.
“We’re seeing even more fraud this year,” says Special Agent Enrique Alvarez, who is part of the cybercrime branch in the FBI’s San Francisco field offices. “Anywhere you have an intersection of people, computers and money, there’s fraud.”
Over the past several years, Alvarez notes that ransomware has become a “spectacularly successful way to get people’s money” because it holds victims’ data hostage until a ransom is paid to reverse the damage. While ransomware still leads the pack in cyber fraud as far as financial return for the criminal, there are other areas where increased fraudulent activity is rampant. And a lot of it is just a click away.
Email fraud
The IC3 report lists Business Email Compromise (BEC) as an ever-growing area of concern, along with Email Account Compromise (EAC) which targets individuals rather than businesses. The scams are carried out when a legitimate business email account is compromised through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
Unfortunately, it was then game on.
Once the hacker got a response, they bought a domain name “dryerventswizard.com” by adding an “s” to Nole’s legitimate domain. Then, the hacker mimicked her email, except for the jpgs she normally includes (Better Business Bureau logo, etc.), created a fictitious account and started sending emails to Nole’s bookkeeper, instructing her to cut two checks – one for $13,000 and one for $12,000. They provided two names to cut the checks to and provided W-9 forms. They also sent copies of voided checks to provide routing numbers and account numbers for direct deposit.
Nole’s bookkeeper set the funds to be wired from QuickBooks. Before they could stop them, one had already been released. The other one went out, too. “But luckily it bounced back because the account they were trying to send it to had been hacked and closed,” says Nole. The funds were returned for the second check, but she was still out $13,000. Both checks were paid through a QuickBooks trust account, and although one did not go through, QuickBooks wanted repayment for the other that did.
In the end, Nole’s bookkeeper filed an errors and omissions claim with her insurance company based on the fact that she didn’t catch it since it wasn’t “the norm” for her business-wise. “I don’t ever pay independent contractors, especially not that much,” she says.
Nole had another close call in June, this time through a DocuSign scam. She received an email from one of her customers, saying there was a contract for her and to sign it with DocuSign.
“I clicked on the contract to look at it and sign it. I couldn’t log in, even though I had put my information in anyway,” she explains. A few days later, she wasn’t receiving any emails. Hackers had accessed her email because of the link from her customer and rerouted her incoming email to her junk mail. Then they started sending emails to her contacts.
“You have got to watch your emails and what you’re getting,” Nole advises. “Now I’m afraid to open anything, quite honestly.”
Virtual meeting fraud
The FBI report also outlines a variant of the BEC fraud schemes that involves using fake virtual meetings to instruct victims to send wire transfers. This usually involves compromising a top company executive’s email account, which is then used to request employees to participate in a virtual meeting. The fraudster inserts a still picture of the executive with no audio or with “deep fake” audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly. Then, the fake meeting is a used as a ploy to directly instruct employees to initiate wire transfers. Or, they use the executive’s compromised email to provide wiring instructions.
Zoom is the virtual meeting platform many businesses have relied on since the pandemic. For safety, the company advises secure network connections and a vitual private network (VPN) that bolsters Wi-Fi security by hiding IP addresses. An employee who has been invited to a Zoom meeting shouldn’t have to log in to join the meeting. All one needs to do is visit the site or open the desktop app, input the Meeting ID the host sent in advance, add your name and click join. If presented with a login screen, be highly suspicious.
Confidence fraud
Another growing area of internet fraud is categorized as “confidence fraud.” These are also called “romance scams” in some cases. Watch out, they are after more than one’s heart.
In February, right before Valentine’s Day, the San Francisco FBI office issued a press release warning of a rise in such schemes, particularly in the Bay Area. In 2021, victims in the SFFBI’s area lost more than $64 million to romance scams, compared with just over $35 million the year prior. Last year, the FBI investigated 37 cases in Sonoma County, 31 in Marin and seven in Napa County.
Confidence fraud and romance scams “have been around for ages,” according to Alvarez. “Most of the fraudsters typically operate out of Eastern Asia. They look at social media—Facebook, Instagram and more interestingly, LinkedIn. They look for potential victims that might have high net worth and reach out to them. Their own profiles are fake.”
Fraudsters establish a rapport with their victims, appealing to their heartstrings and getting them to send money to help with a “sick child” or other such humanitarian need. But a growing trend involves persuading individuals to send money to invest or trade cryptocurrency, the FBI reports.
Since cryptocurrency is in the news a lot and is somewhat mysterious, especially to those up in years, the idea of getting in on a potential great investment is quite luring. A person is convinced to invest a certain amount, sees an alleged profit and then is allowed by the scammers to withdraw a small amount of money. They keep investing (fattening up the account), and when the person requests to withdraw more money, the scammers create reasons why this cannot happen and instruct them to make more deposits for fees or taxes. Eventually, all the money ends up with the scammer.
Most victims of confidence fraud are age 65-plus, but in the Bay Area a surprising number of victims are between 30 and 49. The SFFBI had 193 reported cases of confidence fraud reported by individuals 65 years old and older in 2021. But 274 people between 30 and 49 were also fleeced.
Tom Peirsol, a detective in the property crimes unit of the Sonoma County Sheriff’s Office, says elder fraud is about half of the unit’s workload, albeit not all of it is internet related. There are the phone calls about car warranties, Social Security accounts, etc. “Lots of older people have nothing to do, so they listen to the phone calls and read the emails,” Peirsol says. “If they are living by themselves, they have no one to bounce things off of, so they frequently act on whatever it is that they [the fraudster] is calling about.”
When it comes to confidence/romance scams, Peirsol says lonely and older people are prime targets. “They are convinced that these people [scammers] are their friends and they send them money. It’s just horrible trying to convince people that this is a complete scam,” Peirsol explains. “They think ‘someone needs me or wants me.’ There’s no one in their lives, so they go all in.”
Spray and pray
In addition to direct phone calls, Peirsol warns about fake text messages.
“They get a valid number to call you and the next best thing is a text message,” he explains. “They’ll start off with ‘Hi, this is so-and-so. I’m looking for such-and-such.’” If they get a response, then they’ll engage, often getting the person’s name, “and then they lead you right down a road into something else.”
In most cases, Peirsol says the scammers are looking for “live people,” with whom they can directly interact. He cautions people to “be skeptical of everybody and everything. Phone spoofs look legitimate. If you don’t recognize the caller, let it go to voicemail.” And don’t return random texts.
Alvarez refers to the text scams as “spray and pray.”
“It’s easy to send out texts to validated cell phone numbers. Groups provide this [the numbers] as a service.”
Scammers can request 10,000 California-based cellphone validate numbers, says Alvarez, and then click on a link and download them. “They are easily obtained and paid for on the dark web,” he explains.
Some even provide name, social security numbers, home addresses. This makes the email or text look even more convincing.
“The hit rate is not that great,” Alvarez says, “but you only have to be right once.”
Tech support fraud
Getting a lot of Emails from McAfee Data Security? Norton Anitvirus? And you don’t even use the software?
Do you get random phone calls from what appears to be a legitimate customer service agent who claims your Social Security account has been compromised? Or your bank account?
How about pop-up messages on your computer alerting you to a possible computer virus?
Businesses, employees and individuals need to be alert to another Internet scheme that more than doubled fraudulent intake in 2021 – tech support fraud. Last year, the IC3 report shows tech fraud victims were swindled out of more than $347.6 million, compared to $146.4 million in 2020. That’s an increase of 137% in losses.
Tech support fraud involves a criminal claiming to provide customer, security or technical support or service to defraud unwitting individuals. Most of the time the criminals pose as support or service representatives, according to the IC3 report, and they offer to resolve such issues as a compromised Email or bank account, a virus on a computer or software license renewal. They generally impersonate well-known tech companies and the problems they offer to “fix” are non-existent computer issues, renewal of fraudulent software or security subscriptions.
A common approach is a phone call from a scammer who claims he/she is a computer technician from a known company. They say they’ve discovered a problem with your computer, and they request remote access. They then pretend to conduct a diagnostic test and try to make you pay to fix a problem that doesn’t exist. They also use pop-up warnings on your computer that say you have a security issue and tell you to call a phone number to get help. To pay for their fake services and fraudulent security renewals, victims typically are directed to make wire transfers to overseas accounts or purchase prepaid cards.
According to the Federal Trade Commission, legitimate tech companies won’t contact you by phone, email or text message to tell you there is a problem with your computer and real security pop-up warnings from tech companies will never ask you to call a telephone number.
The FBI notes that in addition to the more common tech support scams, there was an uptick in 2021 of scammers impersonating customer support for financial and banking companies, utility companies or virtual currency exchanges.
Protection tactics
Perhaps the best protection against falling victim to Internet fraud is a healthy dose of skepticism — about everything you see and read.
“Fraudsters are creative, dedicated and relentlessly self-improving while looking for ways to scam people out of their money,” Alvarez emphatically states. To protect themselves, “people and businesses need to concentrate on making themselves harder targets.
Changing passwords, using a password manager and establishing business financial protocols are key. But Alvarez is adamant that businesses and individuals opt in for multi-factor authentication (MFA).
MFA requires a user to provide two or more verification factors to gain access to a resource such as an application, online account or Virtual Private Network (VPN). A simple user name and password approach can easily be stolen by third parties and used for cyber/ransomware attacks. The MFA is extra insurance from cyber criminals.
There are three main types of MFA methods – knowledge (password or PIN); possession (badge or smartphone, for example) and inherence (biometrics like fingerprints or voice recognition). This is why many companies employ security questions and use one-time passwords or codes that are sent to smartphones via text or email when people are placing online orders for goods or are seeking access to applications/websites. Employees also have fobs or security keys with ever-changing codes. And as technology evolves, fingerprints, facial recognition, voice, retina or iris scanning becomes part of the package.
Alvarez believes an effective and enforced MFA strategy is the first line of defense against cyber criminals, whose job it is to steal your information.
“Remember back in the day when cars had clubs on steering wheels to deter thefts?” Alvarez asks. “You walked through a parking lot, and you saw a club, a club and a club. Then there’s one without a club. So that’s the one you break into!”
In the war against cybercrime, we reverse the time-honored George Washington phrase about military combat. The best offense, it seems, is a good defense.
Passwords
It’s the passwords, stupid. (With all apologies to the Clinton presidential campaigns.)
Of all the things that set FBI Special Agent Enrique Alvarez into spin as he handles the myriad of cybercrime cases that come into the FBI’s San Francisco’s Field Office, his biggest beef are those people who use the same password for everything – Email, computer, social media, bank accounts, yada, yada, yada.
“Use a password manager,” he instructs. “It makes you a much harder target” (for cyber fraudsters).
You come up with one password that you cannot forget and that becomes the password for access to your vault.”
A password manager helps generate unique and strong passwords and stores them in one place. The master password unlocks the encrypted vault, which allows you access to each of your passwords.
Users need to decide whether they want the passwords to be stored on their own computers and mobile devices, or in the cloud on someone else’s servers. If passwords are stored on user devices, the user has total control over its security, but will need to purchase multiple licenses so each device can sync passwords. If the user opts for cloud storage, it’s easier to access from a number of devices, but the downside is the user cannot ensure the security of the data. If one of the cloud-based services is breached, passwords can be released into the wild.
“Criminals count on you using the same password on multiple accounts,” says Alvarez. “If each password is unique, it makes it harder to guess and if it does get breached, it only affects the one site.”
He likes to use an ocean-going ship as an analogy.
“The ship has multiple compartments and each of those compartments is watertight if the door is closed. If you’re using the same password, it’s like this great ship and every door is open. If one compartment floods with water, the whole thing sinks. But if all your watertight doors are closed, one compartment floods and the rest are okay.”
Business Financial Protocols
If her experience with cyber fraud taught Rhonda Nole anything, it was the need to establish firm financial protocols for her Cotati-based Dryer Vent Wizard franchise.
These days her bookkeeper knows to call her directly if anything looks odd.
“I have told her to notify me by phone, not email,” she says. If email has been hacked and mimicked, as was the case when she was defrauded, it is no longer a viable means of communication or confirmation.
FBI Special Agent Enrique Alvarez says all companies should establish good administrative procedures on what is involved in sending money, especially if a company has employees that often travel overseas.
Often times, fraudsters will use social media sites (such as LinkedIn) to get information about a person’s place of employment. Then they’ll masquerade as a company executive and ask that person to wire funds.
“They’ll ask the employee to wire $300,000 to a bank in China. The employee wants to be good and follow orders, so they do it.”
Of course, it turns out the executive never initiated the communication.
“You need a secure way of communicating with employees that are traveling,” Alvarez says. “Look at the email address carefully [if it’s in response to an email]. Call the person. And if they give you a phone number to call in the email, don’t do it. Call the number you know is the person’s phone number. Have a good, administrative way to authenticate requests for funds. And be very skeptical if the request in unexpected.”
He points out that it’s very important, which reading email communications, to pay attention to the address in the “from” line.
“Lots of times fraudsters will register a domain name similar to that of the company,” Alvarez says, which is exactly how Nole’s bookkeeper was tripped up on the requested contractor payments.
“You have to be very careful about all emails,” Nole concurs. “Most of the hacking is coming through very legit looking email.”
And whatever you do, don’t take the bait if you get an email that’s purportedly from a vendor, such as Amazon, saying that they’ve just shipped the 27-inch TV you ordered, advises Nole. “Trust me, it’s fake.”
Hi-Tech Swindle
NorthBay Biz ran an extensive report on ransomware in the feature “Hi-Tech Swindle” in September 2021. You can read all about it online at northbaybiz.com/2021/0901/the-hi-tech-swindle.
