Protect your company from COVID-19 pandemic scammers.

At KeyBank, fraud awareness and cybersecurity issues are a top priority for us and for our clients. The risk of cyberattacks are a daily reality for individuals and organizations, and the threats are continually evolving, becoming faster and more sophisticated all the time. Even worse, as we are all focused on managing our responses to the COVID-19 emergency, cyber criminals are seeing it as an opportunity to attack.

Reports of fake emails, texts, phishing, robocalls, dangerous links and more are already emerging related to COVID-19. At a time like this, we want to remind you of what can be done to help protect your organization from wire fraud – one of the most common cybercrimes in the United States.

Stay alert to the latest trends – Fraudsters try to stay relevant

Several government agencies, including the FBI, have alerted KeyBank to increased fraud and scams related to the COVID-19 pandemic.

• Social engineering and phishing: There are known instances of social engineering and phishing schemes — including fraudulent emails, phone calls, and text messages — to attempt to defraud consumers and organizations of all sizes and industry. These emails may appear to be from legitimate known companies.
• Wire fraud: There have been an increased number of reports regarding fraud attempts related to companies pretending to be medical supply vendors. Based on the current stress on the supply chain, scammers may promise equipment they do not have access to in order to capitalize on the medical community’s urgent needs. These fraudulent suppliers are attempting to convince organizations to purchase medical supplies from their company and asking for payments through domestic and international wire.
• Business email compromise: Organizations will likely see a rise in business email compromise phishing attempts as employees are working from home and outside their normal routines.

What should you do to protect yourself from COVID-19 scams?

It’s important for us all to practice good cyber hygiene and follow industry best practices, including:

• Do not open attachments or click on links within emails or text messages from senders you don’t recognize
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from
• Always verify the web address of legitimate websites and manually type them into your browser
• Check for misspellings or wrong domains within a link (for example, an address that should end in a “.gov” ends in “.com” instead)
• Be skeptical of last-minute changes in wiring instructions or recipient account information
• Verify any changes and information via the contact on file – do not contact the vendor through the number provided in the email
• Be skeptical of the unusual asks or activity of vendors, and ask questions:
  • Unusual payment terms (e.g., supplier asking for up-front payments or proof of payment)
  • Last-minute price changes
  • Last-minute excuses for delay in shipment (e.g., claims that the equipment was seized at port or stuck in customs)
  • Unexplained source of bulk supply

• Apply extra due diligence to vendor identification and be conscious of the potential red flags, including:
  • If the business address does not match the purported business type (Carry-out restaurant, gas station, residence, P.O. Box)
  • Business ownership – is the firm registered in the state that it is doing business in
  • Business is newly established
  • Negative headlines in online search
  • Business is not consistent with the type of vendor they are supposed to be, i.e. medical supplies
  • Generic email addresses, such as Gmail, AOL or Yahoo
  • Order process redirects user to an offshore site

• Apply extra due diligence prior to initiating a wire as wires are often irrevocable and could result in a loss to your organization; consider these three steps:
  1. If you receive an email or text with wiring instructions, do not reply. If you receive a phone call with wiring instructions, tell the caller you’re going to hang up to verify the information.
  2. To make sure you have received a legitimate request, call a trusted phone number you have used before to contact the vendor, or use a number written in the contract. Do NOT use a number listed in the email sent to you or call the number that texted you. There could be a fraudster on the other end of the call, ready to trick you into diverting funds to their account.
  3. After calling a trusted number, talk to the person that the email, text or call was said to have come from. Verify that there has been a change to wiring instructions.