Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests. The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds. The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees' Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets. Losses associated with BEC scams quadrupled last year to an astonishing $43 Billion according to the FBI statistics below. Just last week about $4 million in federal funding intended for housing assistance in Kentucky was stolen after someone directed that money to a private bank account. (Source: https://www.cnn.com/2022/08/29/politics/kentucky-4-million-cyber-theft/index... ) "These types of attacks can be especially impactful to state and local governments that may do business with dozens, if not hundreds, or different vendors," Hassold, who is now director of threat intelligence at cybersecurity firm Abnormal Security, told CNN. FBI SUGGESTIONS FOR PROTECTION * Use secondary channels or two-factor authentication to verify requests for changes in account information. * Ensure the URL in emails is associated with the business/individual it claims to be from. * Be alert to hyperlinks that may contain misspellings of the actual domain name. * Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate. * Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from. * Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed. * Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits. Source: FBI Public Service Announcement https://www.ic3.gov/Media/Y2022/PSA220504 CORSA is committed to keeping members informed of and protected against threats to their financial assets and systems. BEC and/or payment fraud is on the rise which creates considerable exposure to governmental entities, including CORSA members. Current technology provides sophisticated criminals the tools to create or alter checks or divert payments via BEC or social engineering. In addition to the FBI's above recommendations, CORSA strongly encourages members to enroll in the anti-fraud services Positive Pay and ACH Positive Pay. The Ohio Auditor of State also recommended enrolling in the above anti-fraud services to guard against check fraud. (See: Auditor of State Best Practices https://ohioauditor.gov/publications/bestpractices/best%20practices%20sept%2...) Positive Pay is a service that essentially requires bank customers to provide their bank with a list of checks that are to be paid, while payment is withheld for any checks that don't match the customer's list. The ACH Positive Pay service allows a customer to set parameters on payments. For instance, payments that occur regularly with similar amounts can be set up to pay automatically, while any payments that fall outside normal transactions will be suspended until authorized. Most banks offer Positive Pay and ACH Positive Pay for a fee. In CORSA's experience fees vary, but customers are able to significantly lower fees through negotiation. Should you have questions regarding Positive Pay or ACH Positive Pay contact Thisbe Butcher at tbutcher@ccao.org<mailto:tbutcher@ccao.org> [Chart depicting Reported Loss Associated with BEC/Cryptocurrency Complaints for the years of 2018, 2019, 2020, and 2021.] Frank Hatfield CORSA Risk Manager fhatfield@ccao.org<mailto:fhatfield@ccao.org> 614-560-1474 614-220-0209 Fax www.corsa.org<http://www.corsa.org/> [cid:image002.png@01D8BD3E.0B6EC360] " The leader in providing Ohio Counties with exceptional value, service, and protection of assets." CONFIDENTIALITY NOTICE: This e-mail message (including any attachments) is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy this message and all attachments.