Identity thieves target university employees and students

When Winston Franklin began working for a university he signed up for the direct deposit option for his monthly check. He later checked his online bank account and was surprised to see that his last payroll check hadn't shown up as a deposit. Franklin immediately contacted his bank, which checked its records and told Winston that the university hadn't deposited his paycheck.

A university payroll employee told him that the department had deposited the check, but when it reviewed the direct deposit transactions for the month, it discovered that Winston recently had changed his direct deposit information. He then remembered that he had received an email purporting to be from the university notifying him that a change had been made in his human relations resource status. The fraudulent message contained a link that directed him to log in to the human resources website to note the change. Unfortunately, that site was a phony copy. A fraudster then stole Winston's username and password and changed his direct deposit information, which redirected his paycheck to the fraudster's bank account.

University employee payroll scheme

Although the case is fictional, the facts are real and representative of a new scheme the Internet Crime Complaint Center (IC3) posted in a January 13, public service announcement.

The IC3 reports the scam's consequences:

• Fraudsters can steal an employee's paycheck.
• The employee might not receive the money back. 
• The fraudsters can use the employee's login credentials and log into his or her other accounts.

The IC3 provides these protective tips:

• Look for incorrect grammar, capitalization and tenses. Many of the fraudsters aren't native English speakers.
• When you roll your cursor over the links you've received via email you might find a totally different URL than your employer's payroll site.
• Don't provide any credentials via email, especially after clicking on links in the email. Always enter the official payroll website URL to check on your status and not via the email link.

'Work from home' scam targets university students

In this scam, fraudsters send emails to college students to recruit them for supposed payroll and/or human resource positions with fictitious companies. (See the FBI's January 13 announcement.)

The emails ask the students to provide their bank account credentials under the guise of setting up direct deposit arrangements. The fraudsters then add the students' bank accounts to victim employees' direct deposit information to redirect the victims' payroll deposits to the students' accounts. The fraudsters obtain the victim employees' account information through other fraudulent means. The victims' employers then send the students the payroll deposits in the victims' names. The fraudsters direct the students, who unwittingly are becoming "money mules," to withdraw funds from the accounts and wire transfer portions to other individuals involved in the scam.

Consequences of the scam: 

• Law enforcement will suspect that the duped students are involved in the frauds and could arrest and prosecute them in court. Criminal records could hinder job prospects the rest of their lives.
• The students' banks could close their accounts and file federal reports.
• The fraudsters steal the victim employees' pay with the students' bank accounts.

According to the FBI, students should:

• Remember the old adage — if a job offer sounds too good to be true, it probably is.
• Don't accept any job that requires you to deposit funds into your account and then wire them to separate accounts.
• Look for incorrect grammar, capitalization and tenses. Many of the scammers aren't native English speakers.
• Don't provide any credentials such as bank account numbers, login names, passwords or any other personally identifiable information in response to recruitment emails.
• Forward these suspicious emails to your university's IT personnel. 
• Warn your friends about this scam.

Business email compromise scheme

The sophisticated Business Email Compromise (BEC) scheme has cost victim organizations millions of dollars and is going strong. (See the FBI's January 22 notice on the IC3 website.) Formerly known as the "Man-in-the-E-mail" scam, it targets businesses that regularly make wire transfer payments and deal with foreign suppliers. Fraudsters usually make the transfers to Asian banks in China and Hong Kong.

Based on IC3 complaints and other data received since 2009, the fraudsters are perpetrating three main versions:

Version 1

Fraudsters, posing as longtime suppliers, will contact businesses via telephone, fax or emails and ask for them to wire funds for invoice payments to alternate accounts. The scammers will spoof the email requests so they appear very similar to legitimate accounts. Faxes or telephone calls closely mimic legitimate requests. This version is also known as the Bogus Invoice Scheme, the Supplier Swindle and the Invoice Modification Scheme.

Version 2

Fraudsters compromise email accounts of C-suite business executives by spoofing or hacking and request that they wire transfer money to employees within the companies who are responsible for processing these requests. Sometimes, a fraudster will request a wire transfer from the compromised account directly to his financial institution with instructions to urgently send funds to bank "X" for reason "Y." This version is also known as CEO Fraud, the Business Executive Scam, Masquerading and Financial Industry Wire Fraud.

Version 3

Fraudsters will hack employees' personal email accounts, send invoices to multiple vendors identified from these employees' contact lists and request that they transfer payments to fraudster-controlled bank accounts.

According to the IC3, it has received complaints from individuals and victim organizations of all sizes in 45 countries and every state in the U.S. The IC3, which has tabulated numbers of victims and dollar losses from Oct. 1, 2013 to Dec. 1, 2014, has "high confidence the number of victims and total dollar loss will continue to increase." Here are some statistics:

• Total U.S. victims: 1,198.
• Total U.S. dollar loss: $179,755,367.08.
• Total non-U.S. victims: 928.
• Total non-U.S. dollar loss: $35,217,136.22.

Fraudsters evolve these schemes through other ongoing frauds, including romance, lottery, employment and home/vacation rental schemes, according to the IC3. Typically, the victims live in the U.S. and unknowingly serve as money mules — fraudsters transfer fraudulent funds into victims' personal bank accounts, and then the fraudsters instruct the unwitting mules to use the wire process services or other bank accounts (often foreign) to immediately transfer the money. Sometimes, the victims must set up and incorporate fake companies and bank accounts under their names.

According to the IC3, fraudsters also are pulling off the Attorney Check Scam, which is linked to the BEC scheme, by targeting attorneys to represent supposed BEC litigants in payment disputes and arranging for the litigants to send retainers in the form of checks to the attorneys.

The attorneys unearth the scam when they discover the checks are fraudulent or when they contact the BEC litigants. The payment disputes might be real, but the BEC litigants hadn't contacted or retained the attorneys for legal assistance.

According to the IC3, in most cases, investigators don't know how the fraudsters choose the victims. However, the IC3 states, "The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment." Therefore, fraudsters use the well-known and highly successful "spear phishing" approach to identify and target key individuals. "Some victims," the IC3 says, "reported being a victim of various Scareware or Ransomware cyber intrusions, immediately preceding a BEC scam request."

The IC3 has noted that the BEC complaints contain the following elements:

• Fraudsters use open-source email to target businesses and employees responsible for handling wire transfers.
• Spoofed emails closely resemble legitimate email requests.
• Fraudsters concoct their well-worded email requests for wire transfers specifically to the victim businesses.
• Victims report phrases such as "code to admin expenses" or "urgent wire transfer" in some of the fraudulent email requests.
• Fraudsters request dollar amounts similar to normal business transaction amounts. 
• Businesses receive fraudulent emails addressed to executives when they're on business trips. 
• Victims report that they've traced IP addresses back to free-domain registers.

More help for the community

I hope you'll share this information with your family, friends and clients and include it in your outreach programs. We must step up our efforts to educate the public about these problems.

As you can see, cybercriminals take advantage of any opportunity to develop schemes to trick consumers and rob them of their resources. Even though they have the upper hand, an educated community will help curb the damage.

Please contact me if you have any identity theft issues you'd like me to research and possibly include in future columns or if you have any questions related to this column or any other cyber security/identity theft issue. I don't have all the answers, but I'll do my best to help. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee.