MUSCAT, 25 February 2020
Royal Oman Police and Bank Muscat have been partnering to conduct a comprehensive anti-fraud public awareness campaign in the Sultanate to tackle cyber fraud. The initiative focusses on educating the general public in Oman about digital best practices so as to prevent falling prey to cyber fraud. Royal Oman Police and Bank Muscat are currently using multiple media channels to spread awareness, as well as seminars and workshops in colleges and universities across Oman.
The anti-fraud campaign has been highlighting different methods used by fraudsters from across the globe to target both the general public as well as business entities. The bank has called on the business community in the Sultanate to be particularly aware of the threat of business email compromise where fraudsters attempt to defraud victims into initiating fund transfers into a bank account under the control of the fraudster instead of the supplier’s genuine bank account.
Often targeting companies who conduct wire transfers of funds, business email compromise attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. The fraudsters carefully research and closely monitor their potential target victims and their organisations. Often, they impersonate the CEO or an executive authorised to do wire transfers for the business and write to employees in the finance department asking for funds to be transferred urgently.
According to leading cyber and data security solutions provider Trend Micro, some common business email compromise scams are as follows:
Bogus Invoice Scheme: Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers to an account owned by fraudsters.
Executive Fraud: Attackers pose as the company CEO or a senior executive and send an email to employees in finance, requesting them to transfer money to the account they control.
Account Compromise: An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
Data Theft: Employees from HR and Finance departments of corporates are often targeted to obtain personally identifiable information of employees and executives. Such data can be used for future attacks on the organisation.
Business Email Compromise attacks involving the hacking of an employee’s email account to request payments or money transfers sent to fraudulent bank accounts has particularly grown globally over the past few years. Corporates and government entities across the world have lost millions of dollars because of this type of business email compromise.
Steps to stay safe
1. Always make sure that the URL of the website you are visiting starts with https (and not just http).
2. Install a good Internet Security software on computers and smartphones and keep it updated. Also make sure that the operating system of computers and smartphones are always updated to the latest version.
3. Never reply to or click on links inside unsolicited emails asking for updating of password or other login details. Do not fall for emails that threaten to block your account unless you click on the link in the email and log into your account. Even if you want to log into your account, manually type the website address into your browser and log in.
4. Verify all transactions and fund transfers. Confirm payment requests with the sender through other known channels like phone calls using previously confirmed details.
5. Look closely at emails to spot suspicious elements such as unexpected payment requests, messages written with a sense of urgency, grammatical mistakes and misspellings, fake email ids or obvious deviations from the sender’s usual writing style.
6. Secure all email accounts by using strong passwords, enabling two-factor authentication, and inspecting links and attachments before clicking them.
7. Always change default usernames and passwords on Wi-Fi routers and other devices to strong and unique passwords.
8. Conduct regular awareness and training on cyber security for employees.