By BECKY RUTHERFORD
Los Alamos

Barbara Corcoran, real estate mogul and “Shark Tank” star, revealed last week that she lost nearly $400,000 after scammers tricked her bookkeeper into paying a fake bill that appeared to come from her assistant.

This is called business email compromise (BEC), and it has tricked companies out of an estimated $26 billion since 2016. In this scam, criminals impersonate trusted business partners.

Usually, they get information on the business by infiltrating the email account of a person they do business with, or they might use open source info to build up enough to trick them with a fake email. In either case, this particular scam is very hard to detect.

If you get a bill you were expecting, from someone you do business with regularly, what is there to question? As it turns out, plenty, in Corcoran’s case about $400,000 worth, which was the amount wired to a fraudulent bank account in Asia.

Corcoran’s bookkeeper Christina received what looked to be a normal invoice from Corcoran’s assistant Emily to approve a $388,700.11 payment to a German company called FFH Concept. The bookkeeper replied to the email asking which accounts to pay out of, and the criminal was able to give a credible, believable response that FFH was “designing German apartment units that Corcoran had invested in”. This was entirely credible as Corcoran does invest in real estate, and FFH is a real company in Germany. The bookkeeper went ahead and wired the funds.

As it turned out, the invoice was not from Emily; the phony bill came from an email very closely resembling hers, but missing one “O”. Would you notice if an email was off by just one letter? It can be hard to tell, especially when you are busy with the day’s tasks.

This story had a happy ending- Corcoran’s bank was able to get the funds frozen in the German bank they were wired through, giving them time to prove it was fraud. She got back all of the money. Sadly in most cases, the money is long gone before anyone even realizes it was a scam.

A couple in San Diego encountered a similar scam when they wired the $800,000 down payment on their dream home to an account they thought belonged to their escrow company. It turned out they were victims of BEC as well; a criminal had somehow gotten the information from the escrow company and was able to use this to trick them. They were not able to recover any of the money, which was their entire life’s savings.

How can you avoid falling victim to scams like this? Here are a few tips:

• Don’t overshare on social media platforms. Criminals can use any info you share to craft a customized spear-phishing email to take advantage of you. Limit the information that is available on you and your company to protect yourself.
• Check incoming email; if it’s from a “trusted” contact, verify the email address is correct. Check that the domain, the part after the “@” is correct, check that the email isn’t misspelled. It is incredibly easy to spoof emails and say you are whoever you want, and slightly alter the email address; most people won’t notice small changes.
• Watch out for other clues, like oddly phrased sentences, misspellings, or things that sound scripted. A frequent scam appears to come from your boss and may have a subject like “Hey, can you do me a quick favor”. Then proceeds to request that you buy gift cards or wire funds.
• Know the habits of those you deal with via email; if something deviates from the norm, ask yourself why. Reach out to the person via alternate means, “out of band”, like a phone number you have on file, before going forward with any financial transactions.
• For businesses, require dual approval for certain high-risk transactions, and stick to your procedures.
• Got a request to update payment information for someone via email? Verify this and any other sensitive transactions by phone, using a number you have on file.
• Utilize 2FA (two-factor authentication) on all email accounts that you can. This is easy to do; you can use an authenticator like Google Authenticator, Authy, etc. or you can use your cell phone number. You will get a unique code either texted to you or generated by the authenticator app any time you need to log in from an untrusted machine. This means that if someone gets your password, they still won’t be able to access your email without that unique code to verify them.
• View any emails requesting money transfers with suspicion. Always verify the sender and the request “out of band” before proceeding.
• If you own a business, make sure that your employees are aware of BEC  and other cyber threats by offering them cybersecurity awareness training. This doesn’t have to be expensive; you can have a lunch and learn meeting and discuss phishing and other cyber threats.