Cybercriminals Use Sophisticated Thievery To Steal Personal, Business Funds

We live in an age when clicking on a malicious link can set off an expensive chain of events. Our digital devices, social media and email accounts and business enterprise platforms hold a host of information, and all it takes is one breach for cyber criminals to get in and access sensitive data and, ultimately, money.

The Federal Trade Commission received 2.4 million reports of fraud from consumers in 2022, with nearly $8.8 billion reported in lost funds. That’s up 30 percent from 2021. The top five commonly reported scams were imposter scams; online shopping scams; prizes, sweepstakes and lottery scams; investment related reports; and business and job opportunities.

Jamie Faber, Michigan Business Banking Market Manager for JPMorgan Chase & Co., knows how common bank account fraud is. Her business clients frequently find themselves in that situation.

“A lot of our clients fall victim to this,” she said. “It’s the worst client experience possible.”

While bank account fraud is common in individual finances, it’s even more common on the commercial side, said Faber. Scammers often target business accounts because more people have access to them, which means more chances to break through security, she said.

In response to the 2022 PwC Global Economic Crime and Fraud Survey, 51% of U.S. companies said they experienced fraud in the past two years, the highest level in PwC’s 20 years of research.

Types of business account fraud
Faber enumerated four main types of business account fraud. The first and most common is phishing, in which criminals send malicious links via email, social media or texts to gain access to account numbers and other information. 

According to AAG IT Services, 3.4 billion phishing emails go out across the world daily. AAG also reported that 2021 saw 323,972 Internet users worldwide fall victim to phishing attacks, with some $442 million stolen through these crimes.

The second way fraudsters try to access information is via business email compromises. This category encompasses any use of company email to access information or funds. Cyber criminals could send fake invoices, impersonate a company lawyer and ask for funds or access to accounts, impersonate company leadership and ask employees to purchase gift cards or transfer money, or use malware to gain access to company accounts or spread computer viruses.

According to the FBI’s Internet Crime Report, financial losses from business email compromises in the United States have more than doubled since 2018, hitting $2.7 million in 2022. It’s a number Faber found staggering.

Faber gave the example of a criminal impersonating a vendor via email and asking to change the direct deposit account in order to steal funds. One way to combat this crime is to ensure that employees never accept financial changes or transfers electronically. “Always follow up with a phone call,” said Faber.

Social engineering, or pretending to be someone else online or via phone to gain access to information or funds, is another type of fraud, as is the use of ransomware.

In any of these cases, criminals try to gain access quickly. “They try to create a sense of urgency,” said Faber. “They’re very threatening.”

That said, if an email or phone call seems suspicious, or the correspondent is reluctant to verify information or impatient, consider it a red flag.

Also, remember that banks will never threaten to close your account or ask you to send money, so if you’re receiving such a request, you’re likely dealing with a cybercriminal.

Combatting business account fraud
Most businesses think they’ll never fall victim to fraud, but considering the statistics, many do. Faber recommended businesses review their security policies and procedures to protect themselves against fraud.

A good security program should include:

  • Multifactor authentication, or multiple steps in logging into the company’s systems, especially when employees work remotely. This could involve entering codes, answering security questions and even face or fingerprint recognition for some companies.
  • Automatic labeling for external emails so that employees can tell when emails are internal versus internal.
  • Training on business email compromise techniques and ways to avoid it.
  • Testing of polices. This could involve sending fake phishing emails to see if employees fall for them or other security tests.

Chad Paalman, founder and CEO of NuWave Technology, has told business leaders for years that they need to have a plan to deal with a cybersecurity event such as a ransomware attack or a hacking.Paalman urges business leaders to work with their IT team ― whether it’s an internal team or outside the organization ― to “pick a framework and use it to put cybersecurity best practices” in place.

“This is the single biggest threat all organizations face today,” Paalman said. “If you know statistically it’s the most probable catastrophic thing that’s going to happen, why don’t you have … those plans in place and test those plans.

“Put all the cybersecurity best practices in place that your budget will allow and at the same time have a plan in place, so that if you have a cybersecurity event you can recover and continue to operate your business,” he added. “My biggest message is, be cyber resilient, have a plan in place, test your plan and continue to make investments in bettering your security at the same time.”

In addition to reviewing and strengthening security practices, JPMorgan Chase’s Faber advised companies to investigate fraud insurance, which can help recoup losses in the case of attacks.

Combatting personal account fraud
Faber provided some general tips to help individuals protect themselves from fraud. They include:

  • Keep personal information personal. Never share passwords, pass codes or account numbers with anyone.
  • Don’t click on links sent through email, social media or text.
  • Never transfer money to anyone you don’t know.
  • Access your account information through secure applications or through the bank’s website, but be sure to type in the website address rather than clicking on a link. Sometimes you click on a link, thinking you’re going to your bank’s site, but you’re going to a different site that could compromise your information, Faber said.
  • Avoid using public Wi-Fi to access your accounts.
  • Check accounts frequently to monitor activity.
  • Know your bank’s security options, and take advantage of them.

If you experience fraud
If you do fall victim to fraud, either in the business or personal realm, Faber said the most important and first thing to remember is to contact your bank as soon as possible — the sooner, the better. Other important contacts include law enforcement and any credit card accounts that may have been compromised.

Check out the FTC guidelines for reporting fraud, as well as Chase’s banking security tips, Faber advised.

Finally, remember that, while embarrassing, fraud happens to many people and businesses. The sooner you correct the problem, the quicker the resolution will be and the less damage you’ll experience.

Staff Writer Brad Kadrich contributed to this report.