Reading Time: 2 minutes

FBI warns of new scams in which hackers are using fake video meetings to trick victims and steal their money. Business email compromise (BEC) is an emerging phishing threat that surged during the COVID-19 pandemic.

During the pandemic, video conferencing tools such as Zoom and Microsoft Teams were a big deal for businesses worldwide. Unfortunately, as users moved to video meeting tools, so did scammers.

The FBI’s Internet Crime Center (IC3) has warned users against a sudden increase in BEC scams using virtual meeting platforms to communicate with the victims.

Business email compromise (BEC) relies on various tactics to target victims. It relies on spoofed or compromised emails to target victims with messages to fool them into making a wire transfer. These scams are not that technical, but they come with a properly constructed background that could fool well-trained professionals.

According to the FBI, BEC resulted in more than $1.8 billion losses in 2020. It easily dwarfs ransomware attacks that are ever-increasing these days.

According to IC3, a video platform might not be an obvious medium for scams because meetings contain actual individuals and are not just a text or email. But these scams use video in combination with email, which is used to add themselves in a trusted video conference or a meeting.

“Criminals began using virtual meeting platforms to conduct more BEC scams due to the rise in remote work because of the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually”, said the FBI.

The BEC scams using video meetings also use emails to target victims. These emails are compromised email accounts of employees, which are then used to get into workplace meetings that are taking place online “to collect information on a business’s day-to-day operations.”

Scammers can also compromise the email of high ranking employees like managers and CEOs, sending spoofed emails to employees “instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer,” according to the FBI.

Scammers may ask employees of a company to attend a virtual meeting where criminals insert a still picture of a CEO with either no audio or a “deep fake” audio. “They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email,” said the FBI.

BEC scams can involve insiders or outsiders and require one employee to make an authorized transfer of funds under scenarios formulated by scammers.

The Federal Bureau of Investigation (FBI) has offered several tips for employees to keep themselves aware of such attacks. It is tough for employees to distinguish fake requests on online video meeting platforms like Zoom, Teams, Google Meet, Slack, or even Discord.

The FBI says that employees and employers should “confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.” Companies should also employ multi-factor authentication (MFA) to verify account access and requests for changes in details. MFA is a must for high-value accounts and emails.

Microsoft is planning to boost MFA support to boost phishing resistance, including remote desktop protocols that are common entry points for ransomware attacks.

The FBI’s Suggestions for Protection Against BEC

  1. Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
  2. Use secondary channels or two-factor authentication to verify requests for changes in account information.
  3. Ensure the URL in emails is associated with the business/individual it claims to be from.
  4. Be alert to hyperlinks that may contain misspellings of the actual domain name.
  5. Refrain from supplying login credentials or personal information of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  6. Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  7. Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  8. Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
If you are a victim of BEC fraud, immediately call your financial institution to recall the funds. Make sure to file a complaint on www.ic3.gov or BEC.ice.gov as soon as possible.