The Anishinabek Police Service (APS) is warning Indigenous businesses and organizations in its communities to be aware of an active, serious, ongoing fraud threat.
In recent weeks, APS has investigated two cases of Business Email Compromise (BEC) in which Indigenous organizations have been the targets of significant frauds. BEC is a sophisticated fraud in which criminals send an email message that appears to come from a known source making a legitimate request.
Both cases being investigated by APS have involved organizations that have well established relationships with suppliers, wholesalers or contractors. The criminal, using a spoofed or compromised email account of the supplier, informs the organization of a change in payment details. The email includes new banking information with instructions to send future payments to the “new” account which is actually fraudulent. The organization then made payment – in good faith – to the scammer’s account.
Combined total losses in these two cases exceeds $350,000.
Based on the evidence gathered to date, these are highly organized frauds. The scammers have knowledge of the invoicing practices, accounts payable contacts, and vendor details of the organizations they are targeting.
APS continues to investigate and has engaged with the OPP’s Cyber-Enabled Fraud team – Anti Rackets Branch.
We are advising organizations to take the following precautions:
- Focus on education and prevention by training employees on good security practices, keep current on frauds targeting businesses.
- Never open emails, click on attachments or links from an unknown address as they may contain malware used to compromise accounts.
- Create intrusion detection rules that flag emails with extensions that are similar to the company email and register all internet domains that are slightly different than the actual company domain. Note: email addresses may differ by only one character.
- Use a two-step verification process for payment requests. Contact the source through another means of communication (e.g. by phone) to confirm the request is legitimate. Do not rely on email alone.
- Use a dual-signature system with dual-authentication (the use of a security token), requiring at least two different authorized signatures for wire transfers.
- Limit amount of information shared publicly and show caution with use of social media. Fraudsters will use these sources to conduct research.
- Ensure all software, including anti-virus software, is up to date on all computers, servers and mobile devices.
- Create a whitelist of trusted email addresses. Email from unknown addresses will be blocked or flagged. This minimizes the risk of phishing/spoofed emails getting through.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be especially wary if the requestor is pressing you to act quickly.
Whether funds were transferred or not – BEC is a criminal act – always:
- Report the incident to your IT personnel, they will provide guidance on how to handle the email.
- File a complaint with to the local police. Identify the incident as “BEC” or wire fraud. Be prepared to share all available details of the incident.
- Report the incident to the Canadian Anti-Fraud Centre (CAFC) online 24/7 at the Canadian Anti-Fraud Centre.
- Email contact@cyber.gc.ca. The Cyber Centre will assist in mitigation and prevention, especially in cases where a technical compromise may have occurred.
If funds were transferred – immediately report the incident to your financial institution. Share the following information:
- the amount
- the account destination
- other pertinent details from the request
- ask about recalling the transfer
- be sure they contact the recipient financial institution
The safety and well-being of our communities is a shared responsibility. Anyone with relevant information about these investigations is asked to call police at 1-888-310-1122. Members of the public can report suspicious activity in the community using our Online Reporting Tool. You can submit reports anytime, from any device, making it convenient to contribute to your community’s safety without delay. Anonymous information may also be submitted by calling Crime Stoppers at 1-800-222-TIPS (8477), or online at ontariocrimestoppers.ca. Crime Stoppers guarantees the anonymity of tipsters and doesn’t ask for personal information. Tips that lead to successful investigations and resolutions may be eligible for cash rewards.
