For fast, easy, and affordable communication, email is hard to beat. Unfortunately, those positive attributes also make email a favorite tool of fraud artists. Adding to the problem, it can be difficult to tell who is actually sending an email, and scammers have learned to disguise their online identities to make it appear that their messages are coming from a trusted source. Here is an email message received by the controller of a CBC client from the company’s president (the names have been changed to protect the innocent):
We have a chance to make a great buy on some inventory, but we need to act right away. I need you to process a large wire transfer for me immediately, kindly get back to me with the necessary information you need to complete the transaction.
Of course, “Don” never sent the email, and a reply to the email will go to the scammer, not to the company president. Fortunately, “Don” was sitting in “Joe’s” office when the fraudulent email arrived, so the controller was not fooled. But other companies are not so fortunate, and are ripped off every day by this simple scam.
In another case, a real estate firm was in escrow to buy a property when they received an email from the escrow company directing them to send their wire transfer to a different financial institution than specified in the original escrow instructions. In this case, an alert CBC officer advised the client to confirm the instructions before sending the wire. A call to the escrow company revealed that they had never sent the email containing the revised payment instructions, and a potential million-dollar fraud loss was averted by the real estate firm.
What these incidents have in common is that the scammers were able to impersonate a trusted party to send fraudulent email payment instructions to the company being victimized. The way to avoid these losses is to be aware that email accounts can be hacked, trusted sources can be impersonated, and payment instructions may be fraudulent. If an unexpected payment instruction is received, pick up the phone and call the sender to verify their instructions. Don’t reply to the email to verify the instructions, since your reply will likely go to the scammer, not the authorized party.
Tax Time Is Fraud Time: IRS Refund Scams
The Internal Revenue Service is warning taxpayers about a new twist on an old scam. After stealing client data from tax professionals and filing fraudulent tax returns, the criminals arrange to have the fraudulent refunds deposited into the bank accounts of real taxpayers. The thieves then use various tactics to reclaim the refund from the taxpayers, and their versions of the scam continue to evolve:
- In one version of the scam, criminals posing as debt collection agency officials acting on behalf of the IRS contact the taxpayers to say a refund was deposited in error, and asking the taxpayers to forward the money to their collection agency.
- In another version, the taxpayer who received the erroneous refund gets an automated call with a recorded voice threatening the taxpayer with criminal fraud charges, an arrest warrant and a “blacklisting” of their Social Security Number. The recorded voice gives the taxpayer a case number and a telephone number to call to return the refund.
In each version, the scammer’s goal is to get the taxpayer to forward the fraudulent refund to the scammer. Eventually, however, the real IRS will come to retrieve the fraudulent refund, and the taxpayer will be victimized again. The IRS urges taxpayers to follow established procedures for returning an erroneous refund to the agency. The IRS also encourages taxpayers to discuss the issue with their financial institutions to prevent further fraud against their bank accounts. Taxpayers receiving erroneous refunds also should contact their tax preparers immediately.
Is It Time to Update Your Web Browser?
Web browsers are the computer programs we use to access the internet; examples are Microsoft Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari. Most web browsers include security features, called protocols, to help protect them from viruses, hacking, and other security problems. In the near future, software vendors will be retiring the TLS 1.1 protocol due to its inherent vulnerabilities. Web browsers that do not support TLS 1.2 will need to be updated. For example, after June 3, 2018, users that attempt to access Zixmail (the Bank’s secure email portal) with a browser that does not support TLS 1.2 will get a "connection refused" message.
If you have been keeping your operating system and web browser current, you are probably fine. But if you are using older versions of your web browser (like Internet Explorer versions older then IE 11) or operating system (like Windows XP or other versions older than Windows 7), an update is long overdue. Click here for a comprehensive list of browsers that support TLS 1.2. Upgrade now and enjoy the peace of mind that comes with knowing that your system is secure.