Small businesses have a new scam to worry about: criminal job applicants who want to hack into online bank accounts.
The U.S. Federal Bureau of Investigation issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud.
With ACH fraud, criminals install malicious software on a small business’ computer and use it to log into the company’s online bank account. They set up bogus fund transfers, adding fake employees or payees, and then move the money offshore.
Scammers can move hundreds of thousands of dollars in a matter of hours using this technique. They often target small businesses that use regional banks or credit unions, which often don’t have the resources to identify and block the fraudulent transfers.
In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications.
An unnamed U.S. company recently lost $150,000 in this way, according to the FBI’s Internet Crime Complaint Center. “The malware was embedded in an e-mail response to a job posting the business placed on an employment website,” the FBI said in a press release. The malware, a variant of the Bredolab Trojan, “allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.”
This scam has been around at least six months, according to security vendor SonicWall, which reported the Trojan last July.
The typo-filled Trojan that SonicWall spotted looked like a Word document and read: “Hello! I have figured out that you have an available job. I am quiet intrested in it. So I send you my resume, Looking forward to your reply. Thank you.”
In the case reported by the FBI, the Trojan was used to transfer money to Ukraine and two other U.S. bank accounts.
“The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees,” the FBI said.
There are a few things consumers and small businesses can do if they’re unsure about e-mail attachments. The safest is to delete the attachment and write back to the sender asking for a plain text version. Alternatively, they can open the document in Google’s Gmail to see if it appears legitimate.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com