RICHMOND, Va. (WWBT) – Cybercriminals are getting so cunning that even major universities like Virginia Commonwealth University can be tricked into giving up thousands of dollars in a wire fraud scheme.
Nigerian cybercriminals achieved a Business Email Compromise (BEC) by finding a vendor that a business or company deals with regularly. In VCU’s case, it was a construction company with which the university had an ongoing contract.
In this type of wire fraud, scammers must create an email address that looks convincing enough to be the company they’re posing as to leverage existing email chains to lend an extra level of trust. From there, they just have to play the long game. Nigerians in this particular scam used this method to bleed multiple institutions out of millions.
VCU lost nearly $500,000, but fared much better than other victims in the case. According to the FBI, a North Carolina university sent almost $2 million to scammers in the same scheme. In Texas, a Houston-based college, a construction company and government entities lost a total of more than $3 million.
While it may seem unlikely that a university could fall victim to BECs, cyber expert Alex Nette says there’s so much money flowing in that some accountants might not think twice about tying up the money. Scammers know this, and that’s why they take advantage of it.
“As long as you’re using the internet, you’re at risk. Whether it’s a company, a university or just your family at home,” Nette said. “What we focus on as a company is how to keep your information safe online for both businesses and consumers.”
Nette, CEO of digital security company Hive Systems in Richmond, says no person or company is too big or too small to fall for these schemes as long as there are vulnerabilities in your information.
“The greatest thing about the Internet is that it connects us all, but the worst thing about the Internet is that it connects us all,” Nette said. “The biggest thing working against us right now is the speed at which we do business.”
Nette says the rogues are hiding behind a screen here or somewhere, just waiting for you to let your guard down. But he says we can slow down these criminals by simply picking up the phone to verify you’re dealing with a real company.
“Call that company. Say, “I just got an email from you guys and I’d like to confirm that there’s a new place where I need to get money…” Nette said. “Getting all that information and stopping that cycle of abuse just by picking up the phone can make this less of a problem for all of us.”
In the case of VCU, a university spokesperson said through insurance, the university was able to recover a significant amount of money and that additional safeguards were put in place to protect against this type of fraud. But Nette says a simple phone call could have made all the difference in ensuring the university didn’t miss out.
BEC fraudsters may also try to impersonate an individual by hacking their information and tricking the victim into their contacts, exploiting the victim’s email trust to trick loved ones or colleagues.
Nette says you should also protect yourself against this method by making sure you don’t use the same password for multiple accounts and by setting up two-step authentication to access your accounts.
“Nobody is safe and that’s the biggest idea behind cybersecurity,” Nette said.
While the lost money for VCU and other victims of the $5 million wire fraud scheme may be a drop in the bucket, the consequences of being a victim of this type of crime can be devastating for individuals and small businesses. In most cases, because large sums of money are often transferred to multiple accounts both domestically and overseas, there is a minimal chance that a victim will ever see any trace of that money again.
The advent of cryptocurrency has made stolen funds even less traceable and recoverable unless that money is secured.
Nette says six out of every 10 small businesses that suffer BECs go out of business because they don’t have the insurance policies or cash flow to withstand the financial loss.
“While there are all kinds of companies with tools and ticks to reduce that risk, that risk is still there,” Nette said. “This means we all need to take steps to protect ourselves.”
How to protect yourself:
- Be careful what information you share online or on social media. By openly sharing things like your pets’ names, schools you attended, relationships with family members, and your birthday, you can give a fraudster all the information they need to find your password or ‘answered your security questions.
- Do not click on anything in an unsolicited email or text message that asks you to update or verify account information. Look up the company’s phone number yourself (don’t use the one a potential scammer provides) and call the company to ask if the request is legitimate.
- Carefully review the email address, URL, and spelling used in any correspondence. Fraudsters use small differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to ensure they are legitimate. You should verify any changes in account number or payment procedures with the person making the request.
- Be especially careful if the requester is pushing you to act quickly.
For more resources on how to support yourself or your businesses click HERE.
Copyright 2022 WWBT. All rights reserved.
Send it to 12 here.
Want NBC12’s top stories in your inbox every morning? Subscribe here.