Does your business swim in a pond that is likely to be phished? Will your business be the target of hackers? What are the chances of your company getting scammed in Internet schemes? Are you or your employees likely to be duped into revealing personal or confidential information which a scammer can use illicitly? What about your data at home? Does this ever keep you up at night? Perhaps it should.
Larger corporations usually have chief information officers to help ensure corporate data is secure. Smaller companies, as well as folks at home, look to other consultants and advisers, including online sources, such as the Better Business Bureau (the BBB), an organization that provides the “Accredited Business Seal for the Web.” Yet, consider the recent impact of an effective, if not comprehensive, ongoing phishing scam affecting the (BBB). Yes, the same BBB that offers “Assurance on the Internet” services.
One of Rade Law’s not for profit clients recently received a very official looking e-mail from the New York BBB. It appeared authentic, nothing amiss in the return e-mail address, and informed the “Owner/Manager” that the BBB had received a complaint from one of its customers regarding “their dealings with you.” In uncomplicated language it encouraged the recipient to contact the BBB because “Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.” There was a .zip file attached and my client was “encouraged” to open it, print out the complaint and answer the questions.
Most smaller companies, including not for profits, that provide services, sell products or solicit funds, know that the BBB, for better or worse, is one of the top places consumers rely on to investigate whether they wish to proceed with doing business with a new company. If the BBB has complaints against your company, that can be a major concern. The tendency, upon learning about a complaint lodged against your company at the BBB, is to see how to resolve it as soon as possible. This is an ideal scenario for a smart phisherman – the “phish” seizes the bait immediately and runs with it, only to be reeled in for dinner.
Fortunately, our client had good radar for phishing, enhanced in part because this organization does very limited business in the State of New York. Additionally, the client had never received a direct complaint from anyone. Our wise client did not open the .zip file and asked whether it should be opened. Our firm called the New York BBB and, while not speaking to an actual person and being forced to go through a labyrinth of voicemail, we learned from a recorded message that the BBB name and logo are being fraudulently used by criminals in an on-going phishing scam. Investigating this further, it turns out that this scam has been going on for a very long time. Ironically and, perhaps, too light heartedly, the BBB included this phishing scam in its Top 10 Scams of the Year 2011 (It’s Us!).
The BBB alerts visitors to its website that the phishing emails look very much like a real notice of a complaint from the BBB. They warn the links include malware that can infect your computer, steal your passwords and otherwise compromise your identity. This is no small matter. The BBB is working with law enforcement and a “private deactivation firm to shut down as may criminal websites as possible” (which begs the question, how large can this phishing scheme really be?).” The BBB claims to have shut down over 100 sites – a massive attack on the BBB. Clearly this scam goes unabated throughout 2012.
So, at this point in time, if you get an e-mail that looks like it is from the BBB, here is what they tell you to do:
1. Do NOT click on any links or attachments.
2. Read the email carefully for signs that it may be fake (for example, misspellings, grammar, generic greetings such as “Dear member” instead of a name, etc.).
3. Be wary of any urgent instructions to take specified action such as “Click on the link or your account will be closed.”
4. Hover your mouse over links without clicking to see if the address is truly from bbb.org. The URL in the text should match the URL that your mouse detects. If the two do not match, it is most likely a scam.
5. Send a copy of the email to phishing@council.bbb.org (Note: This address is only for scams that use the BBB name or logo)
6. Delete the email from your computer completely (be sure to empty your “trash can” or “recycling bin,” as well).
7. Run anti-virus software updates frequently and do a full system scan.
8. Keep a close eye on your bank statements for any unexpected or unexplained transactions.
If you have a business and are not certain whether the complaint is legitimate, contact your local BBB (www.bbb.org/find).
Yes, it’s ironic that all this information is coming from an organization that sells its Internet security services to other companies to deliver a BBB Accredited Business seal on its website because their seal “is backed by the standards, credibility and high name recognition of BBB, which brings its almost 100 year old reputation for marketplace trust to the Internet.” This phishing attack may tarnish that reputation or serve to make it an even stronger organization. It may also provide a clue as to which companies may be directly under attack – namely companies and organizations with sound reputations that are well known and which consumers trust. One might reasonably infer that if your corporation or organization fits that description, be extra, extra vigilant because you have more to lose.
Is nothing sacred? First, a word to the BBB. It’s time to take your own advice. As for the rest of us, this is a good time to confirm the security of your websites and domains, and do your best to ensure its integrity. If you’re on the board of a company, the CEO, or the general counsel, go pay a visit to your CIO. Many corporations or organizations might not survive the reputational harm of a phishing scheme like this. If your corporation has an internal or outsourced IT department, check with the head of IT to ensure that your domain and user names are appropriately protected. If your company or not for profit is smaller, you might want to check out the BBB’s website on Data Security to get started. While the information provided by the BBB certainly did not protect them, it remains valuable basic information.
Also, time to inform your employees about phishing schemes. Tell them about this one – and that they should not open an e-mail from the BBB; instead, they should refer such emails to a person designated for the purpose of receiving business complaints. Recognize, however, that you may well have a problem if the BBB really does want to reach you. The best way to answer that question is to pick up your phone and call the BBB directly to determine whether a real complaint has been lodged.
Both businesses and individuals have a need to keep confidential information safe and secure. Don’t let anyone phish in your data pond.
(A redacted copy of the e-mail received by our client follows below. A .zip file accompanied it. The name of an actual BBB employee has also been deleted in the sender’s block) 
