CROMWELL, Conn.—Many companies are quickly making arrangements for employees to work from home and these actions are creating an even higher risk for people to be targeted by scammers, especially through phishing emails or through an unsecured network connection.
Scammers are taking advantage of the fact that many employees are now working from home and no longer have the luxury of walking over to their boss's desk or calling them on their office phone to confirm a request or ask questions.
Business Email Compromise (BEC) scams impersonate emails that appear to come directly from the boss or human resources. While this is a common scheme, scammers constantly change their approach and use current events as a way to convince the recipient to take action. Compromised business emails may be used to request payments for things such as reimbursements, bogus invoice payments, or office equipment. They may also target HR employees by requesting they send direct deposit information or tax details for all employees to the CEO for a "stimulus bonus" or some other phony reason.
BBB urges businesses and at-home workers to consider the following suggestions to avoid being victimized:
Be aware of unusual procedures. If you receive an email from your boss requesting you complete an unusual procedure, verify via phone or an instant message (IM) first. Also confirm that the email address is accurate and isn't spoofed. Spelling errors or general greetings are also red flags of many phishing scams.
Maintain office billing policies at home. One of the best ways to combat BEC scams is to set a policy requiring employees to confirm payment requests in person or over the phone, rather than over email. If the employees that handle billing are working from home, have them maintain these policies by calling to confirm any payment requests made by email.
Avoid opening attachments or clicking links in emails unless you are 100 percent certain that the source is legitimate and that the communication was expected. This is the number one way that business email accounts are hacked.
Don't allow remote IT support without verifying the source. Your IT department will communicate with you first before connecting to your computer. If anyone you don’t recognize calls you and claims to be with your IT department and asks you for your password or other sensitive information, hang up and call your IT department to see if the request was legitimate.
Log off. When you are finished for the day, log off your remote PC. Don’t just lock it or disconnect from it without logging off.
If you believe your business has been compromised, don’t wait. Take quick action to ensure that further exposure is limited and do not be afraid to ask for help.
