Business email scams target paychecks, accounts for companies

Danielle Deramo’s small business could have been wiped clean in a growing email scam that costs businesses an average $301 million each month.

Deramo’s partner, Stephanie Falzerno, opened an email asking her to pay an invoice for the Southwest Ohio business. The email appeared to come from Deramo.

Instead, it was a scammer who had both of their names, Falzerno’s email address and a fraudulent request that if followed could have resulted in their marketing firm, Just Say It, depositing money directly into the hands of a fraudster. Instead of replying to the email, Falzerno recognized it was sent from an iPad, which Deramo didn’t use, and reported the scam that has targeted the local small business several more times.

“That would have been devastating for our company because we’re a small company,” Deramo said. “We carry a small balance in our checking account, so if it would have gone through, it could have wiped us out.”

MORE: Company continues growth of huge Monroe complex, workforce

The number of scams against U.S. companies have doubled in the past three years. In 2016, the U.S. Treasury received about 500 reports per month and businesses lost about $110 million each month to the growing business email compromise scams. By 2018, the Financial Crimes Enforcement Network was receiving 1,100 reports a month and businesses lost an average $301 million each month, according to a July report.

Southwest Ohio’s Secure Cyber Defense has seen increased activity in business email compromise scams in recent months, including some that aim to steal employees’ paychecks.

The scammers have tried to steal the paychecks of some Ohio employees by sending emails that appear to be from company leadership and employees to change the direct deposit account, said Shawn Waldman, Secure Cyber Defense’s founder and CEO.

MORE: Plans already underway for Middletown brewery expansion after sale

On Sept. 23, a Columbus-area employee reported to the Better Business Bureau scam tracker $2,100 was lost when a scammer requested to change the direct deposit account number. A similar scam happened at a Dayton business early last month, but the company didn’t follow through with the payment, according to the tracker.

“Unfortunately, you’re not going to know until your paycheck doesn’t show up that day,” Waldman said. “Most of this is just being vigilant with email and listening to your gut and not clicking on things that don’t feel right.”

Scammers are also becoming more sophisticated, not only sending emails that appear to be from a boss, but actually hacking into the accounts of high-level executives’ through phishing scams.

“With the birth or the continued success mainly of things like Office 365, we’ve seen a huge increase in email compromise, specifically the business email compromise,” Waldman said. “Companies are moving to that platform and they’re not securing it properly.”

MORE: They sell what? Jungle Jim’s working to expand selection of exotic meat, seafood

Once an email is compromised, scammers can monitor all the emails for sometimes months, evaluating communication, lingo and often bank account information. Sometimes the hackers can get into an entire network of employee emails.

Once the perfect scam opportunity pops up, the fraudster cuts off the actual email owner, redirects all the mail to a personal account and starts using the email to scam employees, customers and other executives.

“(The emails are) looking very convincing because it looks like it’s coming from their boss and it’s the tone of the email, the items within the email,” said Sandra Guile, spokeswoman for the Cincinnati Better Business Bureau. “It could be ‘Hey, I need the most recent W-2s of all the employees within the organization’ or it’s ‘Hey, you haven’t paid your invoices in a while. I really want to get paid and I would like you transfer over to these particular funds or these accounts.’”

The scammer has set up a bogus URL or website that spoofs an actual site, Guile said.

MORE: New restaurant mixing tacos, tequila and bourbon coming to Liberty Center this month

Many times the email is targeted to someone who handles the financial aspects of an organization, a person who likely is dealing with multiple money-related matters at any given time, she said.

“They’re not really paying attention at where those emails are coming from,” Guile said. “The best way to prevent that from happening is by actually looking at where that email originated from and looking at the the extensions of them to see if its actually from the vendor they’ve been working with for a while.”

Grammatical mistakes and misspellings of common words also can be signs of a scammer, she said.

Some of the biggest scams are through real estate transactions, where hackers will learn the name of a buyer, the closing cost of a property and the real estate agent. Once scammers get all the information they need, they use emails identical to company branding to persuade a home buyer to wire the often hundreds of thousands of dollars to a fraudulent bank account.

Scammers, Guile said, prey on those who are not paying attention to details in the midst of a complicated and often fast transaction.

“They count on the chaos, they count on the confusion, they count on the consumer not really paying attention to what is going on,” she said. “It’s a matter of clicking on something and thinking ‘OK, I can scratch that off my list, I can move on’ and, lo and behold, there goes your down payment, there goes all of your savings for your next home.”

Many of the scammers come of Iran, Nigeria and other countries, Guile and Waldman both said.

Wire transfer scam results in an average $35,000 lost. Sometimes scammers will ask for gift cards instead, which average losses between $1,000 and $2,000, Sword said.

Waldman’s company has seen businesses lose millions of dollars, he said. Miamisburg-based Secure Cyber Defense helped a Cincinnati company recover $900,000 of $1.3 million that had been wired to a scammer’s offshore bank account after an email compromise scam, Waldman said.

“If they don’t call federal law enforcement within 72 hours, they probably won’t get their money back,” Waldman said. “There’s a time clock that starts on off-shore wire transfers. If you can get a hold of the Secret Service within 72 hours, there’s a high probability that they can call that money back.”

About the Authors