How to Report Cyber Scams to the FBI’s Internet Crime Complaint Center (IC3)
Businesses today face more cybersecurity challenges than ever before. As technology advances, so do cybercriminals, and they are taking advantage of businesses in this time of expanding virtualization. Simple online tasks such as emailing clients, making purchases, and following links present serious risks to businesses and their employees. Luckily, the FBI has a division called the Internet Crime Complaint Center (IC3) that promotes cybercrime awareness and offers valuable advice on internet safety. Read more to learn about what this division does and how it can help you protect your business, employees, and clients online.
Here's What Your Business Should Know About the Internet Crime Complaint Center (IC3):
What Is the Internet Crime Compliant Center?
According to its mission statement, the Internet Crime Complaint Center (IC3) “provides a reliable and convenient reporting mechanism to submit information to the Federal Bureau of Investigation concerning suspected Internet-facilitated criminal activity and to develop effective alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness.” The program was founded in 2000 as the Internet Fraud Complaint Center, but it quickly expanded beyond the scope of “fraud” into all criminal internet activity and was renamed the IC3 in 2003. The focus of the IC3 is ransomware - a type of malware typically used for extortion.
The FBI IC3 regularly publishes public service announcements and annual reports on cybercrime that help consumers and businesses protect themselves from criminals online. These updates can include reports of a certain kind of cybercrime, common tactics of cybercriminals, tips for business owners, and more. Below, we’ve compiled important information for businesses about the rise in cybercrimes that the IC3 released in the past year on business email compromise, technical and customer support fraud, and impersonation of businesses on job recruitment websites.
Working with the IC3: How to Report a Wire Transfer Scam
To understand how businesses can work with the IC3, we'll look at the process of responding to an illegitimate wire transfer. The FBI deals with many wire transfer schemes and their IC3 Recovery Asset Team (RAT) can help freeze the funds before making a cyber criminal's payday. Here's what the process looks like:
- An employee receives a request for a fraudulent wire transfer. Unlike routine invoices, these transfer requests can originate with a business email compromise, brand impersonation, or social engineering attack. Before verifying the validity of the request, one of your employees approves the transaction.
- After being alerted to the fraud, you reach out to your IT team or Managed Services Provider (MSP), and work with them to report the incident to the IC3.
- Your business and IT team will provide the IC3 extensive documentation around the scam, including:
- The amount transferred
- Banking account and routing numbers
- Any communication around the request, including the original email or documents
- Forensic data such as IP addresses
- After submitting the form, the RAT team will work to recover the wire transfer before the end of the day (when wire transfers are typically concluded). Depending on the speed with which you are able to report the fraud, you may be notified by your bank that they were able to successfully recoup the loss following the FBI's investigation.
Business Email Compromise Scams
Business Email Compromise/Email Account Compromise (BEC/EAC) refers to scams that target legitimate transfer-of-funds requests from businesses and individuals. This often happens when a subject compromises a legitimate email account through social engineering or computer intrusion to make unauthorized transfers. Sometimes, subjects target employees’ Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms using this method. The FBI said there was a 65% increase in losses from this kind of scam reported between July 2019 and December 2021. Part of this increase was contributed to the virtualization of many business transactions following the beginning of the COVID-19 pandemic. They offered some key takeaways for businesses to protect themselves from this kind of crime:
- Confirm the use of outside virtual meeting platforms
- Monitor financial accounts on a regular basis for irregularities
- Check for hyperlinks that may contain misspellings of the domain name
- Don’t share login credentials or personal information of any sort via email
- Ensure the sender's email address appears to match who it is coming from
- Ensure the URL in emails is associated with the business/individual it claims to be from
- Use secondary channels or two-factor authentication to verify account change requests
- Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed
Customer Support Fraud Schemes
Technical and Customer Support Fraud refers to scams in which a criminal pretends to be a technical or customer support/service in order to trick someone into giving them personal information. Victims report instances of banking support impersonators, cryptocurrency support impersonators, ride-share support impersonators, utility, cable, or internet support impersonators, and travel support impersonators. Often, these scammers will ask victims to make wire transfers to overseas accounts or use cryptocurrency to transfer funds. They will also cold-call owners about nonexistent “problems” and offer up “solutions” which require them to divulge personal information, transfer funds, download software (which turns out to be malware), or other seemingly reasonable activities. The FBI recommends the following for businesses who wish to protect themselves from these kinds of scams:
- Change all passwords on a regular basis
- Run up-to-date virus scan software to check for potentially malicious software
- Be aware that legitimate support personnel will not initiate unsolicited contact
- Do not give unknown, unverified persons remote access to devices or accounts
- Resist the pressure to act quickly; criminals will urge the victim to act fast to protect their device or account
- Install ad-blocking software and ensure all computer anti-virus, security, and malware protection is up to date
- Be cautious of customer support numbers found via web searches. Instead, look for support contact information directly on the website of the company
Recruitment Spoofing Campaigns
The third proliferating cybercrime we want to make businesses aware of is one in which scammers impersonate businesses on job recruitment websites. These sites, such as LinkedIn, Indeed, and Glassdoor, are widely used by businesses to fill job openings efficiently and creatively. Scammers have been making fraudulent job postings to trick job seekers into giving out personal information or money. They often do a good job at imitating legitimate businesses, which not only hurts the job seeker being scammed, but the reputation of the business being imitated. When scammers use the image or brand of a company maliciously, victims can mistakenly think the company perpetrated the offense. If scammers use the same brand often enough, which is likely if it’s working for them, word can spread quickly that that business isn’t trustworthy. This kind of negative reputation can make it difficult to hire qualified personnel. An example of this kind of scam can be found in their report:
“In April 2021, a human resources (HR) manager was contacted by a job seeker who applied for a position listed on a commonly used networking site. The job seeker had applied for the job and was quickly contacted, interviewed, and offered the position by the scammers. However, the job seeker became suspicious that the job was illegitimate and reached out to the company directly. The HR manager confirmed the job was not posted by the company and was fraudulent. The scammers used a spoofed email address and assumed the identities of legitimate company employees." The IC3 recommends the following:
- Create a plan to help employees identify and report suspicious job postings.
- Utilize security features on job listing sites, such as enabling options to block unauthorized posts and require secured verification.
- Maintain strict controls for users on networking sites your organization uses. Do not share your account's email and password among users.
- List job postings on your official business website with instructions on how to apply, including the legitimate contact information for your company.
- If your company has been used in fake job postings previously, make applicants aware of it by adding a warning to your job listing or careers web page.
- Monitor for fraudulent activity on networking sites and all accounts your organization maintains. Enable automatic notifications of changes and enable multi-factor authentication for all changes to account settings.
- Proactively search for fraudulent job postings under your business name on common networking sites and locations where your business posts employment opportunities. Report fraudulent postings to the website administrator and to the FBI Internet Crime Complaint Center (IC3) at IC3.gov.
How to File a Complaint with the IC3
Businesses should report any instance of cybercrime to the IC3. The FBI defines internet crime as, “any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes.”
When submitting a complaint, you’ll need to include your name, address, telephone, and email, any financial transaction information, the subject's name, address, telephone, email, website, and IP address, specific details on how you were victimized, and any other relevant information. Relevant evidence can include canceled checks, receipts, pamphlets or brochures, copies of emails, hard drive images, PCAP files containing malicious network traffic, network, host system, and/or security appliance logs, copies of malware, and chat transcripts and/or telephony logs. Each complaint helps the IC3 collect data on cybercrime in order to continue developing cybersecurity best practices and sharing that information with the public. It’s important to note that the IC3 does not conduct investigations. When they receive a complaint, they analyze and research the complaint, then pass information along to relevant enforcement agencies at the local, state, and federal levels.
The FBI offers a wealth of updates, data, and cybersecurity best practices on their website. Businesses should return to it often to stay on top of the latest threats and risks in cybersecurity. And there’s just as much information for individuals on the IC3 site as there is for businesses, so everyone should check it out. Here at iCorps, we take a security-first approach to all things IT and urge our clients to invest in a robust cybersecurity program. If your business does not have a cybersecurity plan in place, now is a great time to start building one. If you don’t have an in-house IT team that can efficiently manage cybersecurity risks, iCorps offers outsourced IT solutions that are cost-effective and backed by years of trusted expertise. Reach out for a free consultation today!