FBI and IRS warn of pervasive, maddening business, consumer scams

FBI says man-in-the-middle e-mail scam cost victims $214M; IRS says phone scam has 3,000 victims who’ve paid over $14M.

holiday scams
Credit: Thinkstock

The FBI and IRS separately this week warned of a couple timeworn but highly effective scams that continue to grow and strip businesses and consumers of cash.

First, the FBI is again warning businesses to be aware of a growing scam that tricks them into paying invoices from established partners that look legitimate but in fact are fraudulent.

+ More on Network World: The hottest 3D printing projects +

The FBI says the fraud is a tweak of the “man-in-the-middle” scam and usually involves chief technology officers, chief financial officers, or comptrollers, receiving an e-mail via their business accounts purportedly from a vendor requesting a wire transfer to a designated bank account, the FBI said.

The FBI even changed the name of the scam now calling it the Business E-mail Compromise (BEC) of the “business angle” of this scam and to avoid confusion with another unrelated scam.

The fraudulent wire transfer payments associated with BEC are sent to foreign banks and may be transferred several times but are quickly dispersed. Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.

The Internet Crime Complaint Center (IC3) has received BEC complaint data from victims in every U.S. state and 45 countries. From 10/01/2013 to 12/01/2014, the following statistics are reported:

  • Total U.S. victims: 1198
  • Total U.S. dollar loss: $179,755,367.08
  • Total non-U.S. victims: 928
  • Total non-U.S. dollar loss: $35,217,136.26
  • Combined victims: 2126
  • Combined dollar loss: $214,972,503.30

According to the FBI, it is still largely unknown how victims are selected; however, the subjects monitor and study their selected victims prior to initiating the BEC scam.

“The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc). Some victims reported being a victim of various Scareware or Ransomware cyber intrusions, immediately preceding a BEC scam request,” the FBI says.

Also, based on IC3 complaints and other complaint data received since 2009, there are three main versions of this scam:

Version 1

A business, which often has a long standing relationship with a supplier, is asked to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request. This particular version has also been referred to as “The Bogus Invoice Scheme,” “The Supplier Swindle,” and “Invoice Modification Scheme.”

Version 2

The e-mail accounts of high-level business executives (CFO, CTO, etc) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is normally responsible for processing these requests. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.” This particular version has also been referred to as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”

Version 3

An employee of a business has his/her personal e-mail hacked. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s personal e-mail to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.

In the end, the scheme is usually not detected until the company’s internal fraud detections alert victims to the request or company executives talk to each other to verify the transfer was made.

Meanwhile the IRS says it is still battling aggressive and threatening phone calls being made by criminals impersonating IRS agents.

The IRS has seen a surge of these phone scams in recent months as scam artists threaten police arrest, deportation, license revocation and other things. The IRS reminds taxpayers to guard against all sorts of con games that arise during any filing season.

"If someone calls unexpectedly claiming to be from the IRS with aggressive threats if you don't pay immediately, it's a scam artist calling,” said IRS Commissioner John Koskinen in a statement. "The first IRS contact with taxpayers is usually through the mail. Taxpayers have rights, and this is not how we do business."

Phone scams in fact for the first time top the Dirty Dozen scam list compiled annually by the IRS and lists a variety of common scams taxpayers may encounter any time during the year.

+More on Network World: IRS warns on 'Dirty Dozen' tax scams for 2014+

Phone scams top the list this year because it has been a persistent and pervasive problem for many taxpayers for many months. Scammers are able to alter caller ID numbers to make it look like the IRS is calling. They use fake names and bogus IRS badge numbers. They often leave "urgent" callback requests. They prey on the most vulnerable people, such as the elderly, newly arrived immigrants and those whose first language is not English. Scammers have been known to impersonate agents from IRS Criminal Investigation as well.

“These criminals try to scare and shock you into providing personal financial information on the spot while you are off guard,” Koskinen said. “Don’t be taken in and don’t engage these people over the phone.”

The Treasury Inspector General for Tax Administration (TIGTA) has received reports of roughly 290,000 contacts since October 2013 and has become aware of nearly 3,000 victims who have collectively paid over $14 million as a result of the scam, in which individuals make unsolicited calls to taxpayers fraudulently claiming to be IRS officials and demanding that they send them cash via prepaid debit cards.

The IRS reminded consumers that they could know pretty easily when a supposed IRS caller is a fake. Here are five things the scammers often do but the IRS will not do.

According to the IRS the agency will never:

  • Call to demand immediate payment, nor will the agency call about taxes owed without first having mailed you a bill.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone.
  • Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.

This story, "FBI and IRS warn of pervasive, maddening business, consumer scams" was originally published by Network World.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.