Today, the FBI reported that between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms like Zoom and GotoMeeting to instruct victims to send unauthorized transfers of funds to fraudulent accounts.
How The Attacks Work
Criminals began using virtual meeting platforms to conduct more BEC-related scams due to the rise in remote work because of the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.
Criminals use virtual meeting platforms to conduct BEC scams in multiple ways:
They Deep Fake the CEO On a Virtual Meeting Call
Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake” audio, and claim their video/audio is not properly working.
They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
They Takeover Employees Virtual Meeting Login’s
Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
They Pose as CEO And Say They Are In Virtual Meeting
Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
How To Protect Yourself From These Attacks
The FBI provided tips on protections for businesses against these types of attacks.
- Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
- Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
This is indeed a strange twist in fraud methods.