It's Not Just CNP Fraud. Merchants Must Protect Themselves from New Cybercrime Scams

Cybercriminals are now targeting your email. Rafael Lourenco explains three scams that every merchant should watch out for and offers tips to help you combat them.

Cybercriminals are now targeting your email. Rafael Lourenco explains three scams that every merchant should watch out for and offers tips to help you combat them.

Retailers and other online merchants know all too well that fighting card-not-present (CNP) fraud is a constant battle. But it's not the only risk they face from cyber-scammers. As digital crime rings expand and "professionalize," security experts and law enforcement agencies are tracking a rise in fraud schemes that target businesses through email rather than the shopping cart.

These scams are in a fraud category called business email compromise (BEC). Today's BEC attacks are the grown-up, more professional, harder-to-spot versions of yesteryear's amateurish phishing scams, and they are on the rise because they work. The FBI says BEC scammers have stolen more than $12.5 billion worldwide since 2013, and BEC attacks rose 250% from 2017 to 2018, according to the 2018 BDO Cyber Governance Survey. These scams take a variety of forms, but the goal is always the same – separate businesses from their money.

Impersonating executives to request wire transfers

Scammers have learned that by gathering intel on executives – sometimes by purchasing legitimate marketing lists – they can send convincing-looking emails to the executives' assistants to make urgent wire-transfer requests. The pretext is often that a vendor needs immediate payment or that there's a deal on the line. The fraudsters sometimes follow their targets on social media and launch their attacks while the executive is away from the office to make it harder for the assistant to double check the request before the fake deadline.

Sending fake invoices to accounts payable

Other scammers use email to impersonate a company's vendors and request payment of fake invoices. A Lithuanian man recently pleaded guilty to wire-fraud charges for running this type of BEC scam to bilk Facebook and Google out of a total of $100 million. And while it's tempting to think that small merchants won't attract invoice fraudsters, cybercriminals are always looking for vulnerable targets to exploit, regardless of size.

Requesting fake payroll data updates

Fraudsters have found another way to target companies. They pose as employees or executives in emails to HR or payroll and ask to change their paycheck direct-deposit to a new account. According to the IRS, this type of scam is usually caught only after someone misses a paycheck or two.

How criminals hijack email for scams

What all these schemes have in common is deception – impersonating someone the recipient trusts. Another common factor is that these scam emails don't contain malicious links or attachments, so they often make it past spam filters.

In some cases, criminals create a fake domain that looks like a real one, such as instead of Then they use their "lookalike" domain to send scam emails, some of which will inevitably reach Apple customers. 

In some cases, merchants leave their email wide open to exploitation. Most retailers have not yet implemented domain-based message authentication, reporting and conformance (DMARC), an open-standard security protocol that shows businesses who's using their domains to send email and allows them to flag and stop emails from unauthorized senders. DMARC can dramatically reduce the number of scam emails sent from a merchant's domains – including scam emails sent within the company's network. 

Password hygiene is a problem, too. According to cybersecurity firm Digital Shadows, there are now more than 5 billion stolen username/password combinations available to criminals on the dark web. Scammers can buy and use these pairings to stuff credentials on a variety of websites to find matches. Because many people use the same password for multiple sites, the criminals often find a way into business email accounts, where they can launch legitimate-looking attacks. 

When fraudsters can't access a target's domain, use a lookalike domain, or hack their way into an employee's email account, they may impersonate the sender's name and hope that the recipient reads the message on their phone. That's because most email apps display the sender's name but not the email address, unless the recipient taps to review the sender data. Some scammers even time their BEC campaigns to their victims' off hours, when they're more likely to be on their phone than at their desk.

How merchants can push back against BEC

Start by protecting your email network. Require everyone on your email network to use new, unique, strong passwords so that keyword stuffers don't break into your system. Implement DMARC on your company's email servers to keep domain hijackers out. 

Train your team to avoid BEC scams by checking senders' email addresses, treating urgent email requests with caution, and communicating with team members before moving money or changing payroll details. Have a process in place to report suspected scam emails or successful attacks to your IT team, local law enforcement and the FBI. By keeping the lines of communication open within your company, improving your email security, and making email caution a company value, you can reduce the likelihood of becoming a BEC attack target.

Original article at