FBI warns of new scams in which hackers are using fake video meetings to trick victims and steal their money. Business email compromise (BEC) is an emerging phishing threat that surged during the COVID-19 pandemic.
During the pandemic, video conferencing tools such as Zoom and Microsoft Teams were a big deal for businesses worldwide. Unfortunately, as users moved to video meeting tools, so did scammers.
The FBI’s Internet Crime Center (IC3) has warned users against a sudden increase in BEC scams using virtual meeting platforms to communicate with the victims.
The #FBI's Internet Crime Complaint Center is warning of an increase in business email compromise (BEC) scams involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. Learn more at https://t.co/Zjz9mrfvr0 pic.twitter.com/Zdjhl3WLxH
— FBI Tampa (@FBITampa) February 17, 2022
Business email compromise (BEC) relies on various tactics to target victims. It relies on spoofed or compromised emails to target victims with messages to fool them into making a wire transfer. These scams are not that technical, but they come with a properly constructed background that could fool well-trained professionals.
According to the FBI, BEC resulted in more than $1.8 billion losses in 2020. It easily dwarfs ransomware attacks that are ever-increasing these days.
According to IC3, a video platform might not be an obvious medium for scams because meetings contain actual individuals and are not just a text or email. But these scams use video in combination with email, which is used to add themselves in a trusted video conference or a meeting.
“Criminals began using virtual meeting platforms to conduct more BEC scams due to the rise in remote work because of the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually”, said the FBI.
The BEC scams using video meetings also use emails to target victims. These emails are compromised email accounts of employees, which are then used to get into workplace meetings that are taking place online “to collect information on a business’s day-to-day operations.”
Scammers can also compromise the email of high ranking employees like managers and CEOs, sending spoofed emails to employees “instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer,” according to the FBI.
Scammers may ask employees of a company to attend a virtual meeting where criminals insert a still picture of a CEO with either no audio or a “deep fake” audio. “They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email,” said the FBI.
BEC scams can involve insiders or outsiders and require one employee to make an authorized transfer of funds under scenarios formulated by scammers.
The Federal Bureau of Investigation (FBI) has offered several tips for employees to keep themselves aware of such attacks. It is tough for employees to distinguish fake requests on online video meeting platforms like Zoom, Teams, Google Meet, Slack, or even Discord.
The FBI says that employees and employers should “confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.” Companies should also employ multi-factor authentication (MFA) to verify account access and requests for changes in details. MFA is a must for high-value accounts and emails.
Microsoft is planning to boost MFA support to boost phishing resistance, including remote desktop protocols that are common entry points for ransomware attacks.