The NJCCIC received reports of a business email compromise (BEC) campaign circulating using a compromised emergency management email account. The phishing email referenced a contract and directed the recipient to click a link to view a related document. This link led to a Linktree webpage displaying the city’s logo and instructed the user to click on another link. The landing page has since been taken down, though it intended to steal user account credentials.

In other business email compromise campaigns, threat actors intend to convince the recipient that they are a vendor and payment for goods or services is due. These emails often include a fictitious invoice and payment instructions for a fraudulent account. They may also be sent from compromised email accounts, making it difficult for recipients to question the email’s legitimacy.

Recommendations

• Confirm the source and instructions of any monetary transaction received via email through a separate means of communication, such as a phone call. Replies to the email are not an effective verification method as they could be sent to the threat actor.
• While an email may appear to come from a known and trusted account, that account may have been compromised. Verify all requests for the transfer of money.
• Do not submit your credentials (username and password) to websites with URLs unassociated with an official organization or business.
• If you act on a financial BEC scam, notify your supervisor and banking institution immediately to attempt to disrupt the transfer of funds.
• Create a policy and procedure for identifying and reporting BEC emails, including periodic employee awareness training.
• Establish policies and procedures that require any requests for highly sensitive information or large financial transactions to be authorized and approved by multiple individuals via a secondary means of communication beyond email.
• Review the Don’t Be Fooled: Ways to Prevent BEC Victimization NJCCIC Informational Report for additional information.