Print this page small font normal font large font


Security Center Home     Fraud Information Center     Security     Mobile Security     Privacy      Social Media      Report Fraud


A scam is an attempt, through deceit or trickery, to intentionally mislead someone, usually with the goal of financial gain. Traditional scams play upon the vulnerability of people by exploiting human virtues such as compassion and trust.

A common scam: the victim is usually sent a worthless check, which the victim then deposits into their account under the assumption that it is a legitimate transaction. The victim is then urged to forward a small portion of the value of the check to the trickster as cash, and quickly. The victim then does not have time to discover that the check is fraudulent.

There are many different types of scams, including deceptive lotteries, inheritances, employment opportunities, overpayment on sold items, and high-profit/no-risk offers. Below are some common scams and how you can protect yourself.

Vishing Scams

The scammer uses the VoIP tool with a modem to call phone numbers in a given region. When the consumer answers, an automated recording states that the consumer's credit card is showing fraudulent activity. The consumer is directed to call a specific toll free or local phone number immediately. The number dialed may show a spoofed caller ID for the financial company the scammer is pretending to represent. (Internet-telephone services do not require some of the verification checks used by traditional telephone companies; they provide telephone numbers with a choice of area codes that bear no relevance to the scammer's actual location.) In some cases, the thief already has the consumer's credit card number and will only ask for the three-digit code on the back of the credit card. This makes the call seem even more legitimate to the victim. Usually within 3 days of the call, the telephone line is disconnected. This, of course, makes it almost impossible to track the offender.

Lottery Scams

Lottery schemes tend to have one or more of the following characteristics, some things to look out for:

  • Victims are generally notified via U.S. mail.
  • Many letters appear to be from reputable companies or financial institutions.
  • Some lottery scams claim to be from other countries, such as Canada or the Netherlands.
  • Victims may receive an authentic-looking check.
  • Upon contacting an organization, victims may be asked to deposit the check and then return a portion of the money to cover fees or taxes.
  • Even though the amount requested for payment is relatively small compared to the winnings they've supposedly won, legitimate lotteries do not ask recipients to pay fees to secure their prize.

Protect Yourself From Lottery Scams

  • If you didn't play a lottery, you didn't win.
  • Ignore communications from foreign lotteries.
  • Legitimate lotteries don't require winners to pay fees to collect winnings.
  • Never give out personal or financial information to anyone over the Internet or phone.
  • Be very skeptical of unsolicited letters, calls, or emails informing you that you've won a lottery.

Inheritance Scams

Inheritance scams try to deceive the victim into believing that a long-lost relative has passed away and left them a large sum of money. Scammers will go so far as to research family tree information to make the inheritance seem more believable. The victim may receive an email or an official-looking letter. These notifications often ask the victim to send a check to help cover expenses associated with their inheritance. Upon sending a check, the victim soon realizes they will not be receiving the money.

Protect Yourself From Inheritance Scams

  • Carefully review all unsolicited regular mail and email.
  • Check with relatives about recent deaths in your family.
  • Don't give out personal information over the Internet or telephone.

Nigerian Letter or 419 Scam

This scam can begin with unsolicited communication from individuals representing themselves as Nigerian or foreign government officials. This so called "official" offers the victim a percentage of a large amount of money in exchange for your assistance in placing money in an overseas bank account(s). You may be asked to send your account numbers, or sometimes a cashier's check or wire.

Protect Yourself From Nigerian Letter or 419 Scam

  • If it sounds to good to be true, then it probably is.
  • Avoid offers to get rich quick through a complex transfer of funds.
  • Do not put your money, identity and reputation at stake.

Business Email Compromise Scam

This scam is designed to convince company employees who are responsible for executing financial transactions to wire funds to accounts that are controlled by the perpetrators of the scam. It generally targets businesses working with foreign suppliers and/or who regularly send wire transfer payments. Victims of this scam may purchase or supply a variety of goods or services.

The Federal Bureau of Investigation (FBI) issued a Public Service Announcement on January 22, 2015 identifying three main versions of the scam based on complaint data received since 2009.1

  • Bogus Invoice Scheme (aka “The Supplier Swindle” and “Invoice Modification Scheme”) The email account of a supplier, with which the business has a long standing relationship, is hacked and then used to send fake invoices requesting payment to be wired to a fraudulent account. The well-worded request may look legitimate – similar to a previous invoice – but the bank information is different. This scam can also be perpetrated via telephone or fax and like the email, would closely mimic a legitimate request.
  • Business Executive Scam (aka “CEO Fraud,” “Masquerading,” and “Financial Industry Wire Frauds”) Instead of a supplier’s email being compromised, the email of a high-level business executive (CEO, CFO, CTO, etc.) is hacked and used to make a request for a wire transfer to a second employee within the same company who is normally responsible for processing these requests. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.”
  • Personal Email Hack An employee of a business has his/her personal email hacked and used to request a payment to a fraudster-controlled bank account. This fraudulent email can be sent to multiple vendors identified from the employee’s contact list. The business may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.

Why are Business Email Compromise scams successful?

Scammers usually hack an organization’s email system or gather information through public sources. As a result, these scams have been reported to be successful for the following reasons:

  • Use of open source email (e.g. Gmail) for business and personal use and personal email accounts used for business purposes have been most targeted as they are more susceptible to being hacked by means of “phishing” – a virtual trap set by cyber thieves that uses official-looking emails to lure victims to fake websites and trick them into revealing personal information or include links that install malware that can hijack the computer.
  • Fraudulent emails are tailored to the particular business and closely mimic a legitimate email request. Common language, phrases and jargon used within the business are often included in the fraudulent email messages. For example, the phrases “code to admin expenses” or “urgent wire transfer” were reported as common phrases used in the scam.
  • Individuals within the company responsible for wire transfers are identified and directly targeted.
  • The dollar amounts of the wire requests are typical for the business to prevent suspicion.
  • Fraudulent emails received have coincided with business travel dates for executives whose emails were hacked.

How to avoid becoming a victim of Business Email Compromise scams

  • Out of Band Verification: Implement policies and procedures requiring a telephone or in-person verification with the individual or company officer who originates wire requests via email, text, or fax, before the wire transfer is initiated.
  • Secondary Review and Approval: Have a secondary person within your business review and approve all wire transfers before sending them to the bank for processing.
  • Delete Spam: Immediately delete unsolicited email (spam) from unknown parties. Do NOT open spam email, click on links or open attachments contained in the email.
  • Never follow a link to a website from an email—always enter the URL manually.
  • Train all employees to recognize “red flags” of suspicious requests, which may include:
    • Unusual language or content in the email communication
    • Urgent requests or requests to act quickly on a financial transaction
    • Requests to keep the transaction in secrecy
    • Requests made at unusual times
    • Instructions to send funds to bank accounts that differ from accounts where funds have been transferred in the past
    • Sudden changes in business practices (e.g. requests to be contacted via a personal email address when all previous correspondence has been via a company email)
  • Avoid free web-based email (Gmail, Yahoo! Mail, etc.): Establish a company website domain and use it to create company email accounts in lieu of free, web-based accounts and refrain from using personal email accounts for business purposes.
  • Most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call, but don’t use the phone number contained in the email as that number usually is phony as part of the scam.
  • Use a Phishing Filter when using the internet: Many of the latest web browsers have Phishing Filters built in or offer them as a plug-in.

For more information about the Business Email Compromise Scam, other internet crime schemes, internet crime prevention tips or to file a complaint, visit the Internet Crime Complaint Center (IC3) website

1Business Email Compromise. Internet Crime Complaint Center (IC3). Federal Bureau of Investigation, 22 Jan. 2015. Web. 02 July 2015.