As we remain vulnerable to the constantly-evolving financial frauds and cybersecurity threat landscape and in light of recent events such as the QuickBooks payment scams, it’s important to be vigilant against any type of deception used to financially despair a person or organization — otherwise known as fraud.
Fraud takes many forms depending on the scope and target of the attack, but ultimately is a cybersecurity issue due to the methods for which the scammers operate by using phishing and business email compromise techniques. While fraud takes place year round, we become more vulnerable during cyclical “busy” periods such as tax season and when a specific market, such as real estate, trades at a high volume.
So what are the types of fraud you should be aware of? What does it look like? Who does it affect? And how can you protect yourself from becoming a victim of financial fraud?
Tax & IRS Scams
The first type of financial fraud targets businesses and individuals by having the scammer impersonate a government agency such as the IRS to obtain payment, social security, or financial information. It’s extremely effective, especially during tax season as filers often look for communications from the IRS and due to the fact that fraudsters have become sophisticated in primarily targeting more vulnerable groups such as the elderly.
For some reference on the frequency of these incidents, in 2019 alone there were over 300,000 tax scam complaints filed with fraudulent damages being around $1.3 billion. To make matters worse, the FBI believes that only 15% of these crimes were actually reported and that annual costs could actually be closer to $27 billion. The most common approach to these campaigns is using phishing emails.
The scammer(s) will send an email to their target using an address similar to the IRS domain or have their email header displayed as “IRS” — covering their actual address full of obscure and random characters. The message will contain urgent statements such as “verifying information,” claiming “your SSN is suspended,” or “you’re owed a large return.”
The recipient will then click a link that takes them to a spoofed IRS website page to enter personal information like credit card or social security numbers which get routed to the scammer to make purchases or falsely file a tax return for them to receive the return payments. This same strategy is employed using other channels as well such as texts, phone calls, and even most recently — social media.
Wire (& Mortgage) Fraud
In this type of financial fraud attack, someone impersonates a person trusted by the target and convinces them to send money to a fraudulent account. Oftentimes, this attack is used on financial personnel at large companies where the scammer pretends to be an executive and sends an email with commands to send money to a specific account number to pay a vendor, supplier, contractor, etc.
As a whole, wire fraud sourced at email account compromises is rapidly growing. While the 2021 hasn’t yet been published, the 2020 internet crime report estimated $1,866,642,107 were lost from this attack. That’s up over $90,000,000 from 2019 and over $568,000,000 from 2018.
In recent years, however, wire fraud has popularized itself in the real estate market in the form of mortgage fraud. The scammer will pretend to be the mortgage lender, real estate broker, or title agent and tell a buyer to send their closing costs to the fake account. 2020 real estate data showed that nearly one-third of transactions had some level of attempted wire fraud and most agents see it increasing year-to-year.
Like tax scams, the fraudsters can use a spoofed or modified email address to make this work. However, in a more advanced version the scammer can first use phishing emails to convince a title, real estate, or mortgage professional to divulge their email or active directory (AD) credentials. Once they have that information, they have entirely compromised the user’s email and can send the message directly from their account to the target.
Invoice Fraud
Lastly, we have invoice fraud as an effective way to steal funds from businesses, non-profits, and associations. Like wire fraud, this attack is intelligently crafted and focused on someone in a financial management position who would be responsible and authorized to finalize outgoing payments. The scammer, in this case, will pretend to be a supplier or vendor of the organization and convince the target to make a payment or divulge financial information.
They do this through phishing emails by falsely notifying the target that the vendor payment details have changed and need the payer to resubmit financial details — taking them to a link to a spoofed page where the information is submitted. Scammers also might send a fake invoice with a link or directions (with fraudulent account numbers) to receive payment.
Trends for this type of fraud go hand-in-hand with business email compromise (BEC) since the scammers are able to obtain access to the supplier’s email systems before impersonating them. So an increase in one is just about guaranteed to be an increase in the other. For instance, during the first few months of the COVID-19 shutdowns, there was a 75% increase in invoice fraud and a 200% jump in BEC attacks from April to May of 2020.
Best Practices to Protect from Fraud
First and foremost, the best way to protect yourself (and your business) from fraud is through awareness. Understand how these attacks would unfold through text, phone, or email and be on the lookout for email attributes common during phishing such as generic messaging (introduction as “To our customer”), email addresses with variations or weird character combinations, and urgent/significant commands (“Update your account details.”).
You also want to have procedural awareness for how a typical process would go. For instance, your company might have a series of steps in order to make and approve payments to a vendor. Therefore, having your CEO send an email telling you to wire money to an account would be odd and out of process. Additionally, the IRS is known procedurally to do most of their communications through physical mail and not email or telephone.
A good rule-of-thumb to follow is to verify through a phone call or by logging into your online account. Confirm with your work colleague, supplier, CPA, bank institution, title agency, real estate agent, mortgage broker, or the IRS before taking any actions requested by the sender. If an email was legitimate, the sender would have, on file, information on the request and include it in an online account profile.
Also be sure to utilize top-of-line technology to help prevent and mitigate system compromises. Multi-factor authentication (MFA) on your applications is a great way to protect yourself even if your login credentials managed to be stolen as it would require an additional step for the scammer to gain access. Password management tools are solid mechanisms as well to securely store and organize account passwords.
Moreover, email filtering systems help control which emails enter your corporate network and article intelligent (AI) email security software can be used to understand patterns of users to detect potentially malicious email messages. In addition to these practices and software tools, be sure to validate that any third-party vendors or service-providers are incorporating the same solutions in their programs as their security posture can impact yours.
Avoid Becoming a Victim of Fraud with Ascension Global Technology
Despite the advancement of techniques and increased volume of attempts, fraud is highly avoidable by deploying the right knowledge and tools. Contact our experts today to learn more about how you can protect your business from all types of fraudulent financial scams. Also be sure to check out our blog for up-to-date insights and content on all things cybersecurity.
