Phishing Scam Targets Victims Using Better Business Bureau

This past holiday season showed that spending in brick and mortar stores was significantly off targeted projects.

People just weren’t spending as much money in the malls and department stores.

However every single study of consumer spending did show that companies with a strong online presence had a significant boost in sales this past year, including the holiday shopping season. In fact during December alone, non-store sales rose 10.6 percent from the same time one year ago. Even automobile sales online boasted a 9.5 percent increase.

To make sure they can stay competitive in the online retail sector, businesses must strive to build, and at the same time maintain, a solid reputation on the Internet.

Of course it was only a matter of time before spammers realized this as an opportunity to take advantage of this trend to dupe business owners into downloading dangerous malware.

How the Scam Works

Businesses are sent an email branded with the Better Business Bureau logo that reads:

“Thank you for supporting your Better Business Bureau (BBB). Your BBB receives more than 6,500 requests for information every day and provides reliability reports to consumers 365 days a year, 24 hours a day, and 7 days a week.

As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.

We encourage you to use our ONLINE FORM to provide us with this updated information. The URL below will take you directly to this form on our website:

CLICK HERE to login to your BBB account

You may also complete the form on the reverse side of this letter and mail to PO Box 1000; DuPont, WA; 98327; or fax to (206)436-5496.

Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily. In addition, many consumers may search our database using your e-mail and/or Web address, so please be sure to include this information as well. As a BBB accredited business, you receive a free hyperlink from your online reliability report to your company Web site if provided to us.

Thank you again for your support, and we look forward to receiving this updated information.

Sincerely,

Accreditation Services”

Eager to keep their information and good standing current, business owners and managers who click the link are not taken to a legitimate site hosted by the BBB. Instead their computer downloads malware and their account credentials are compromised by the phisher.

Another version of the phishing scam informs the recipient of the email that a negative review of their company has been posted to the BBB site. To refute the claim, the recipient must click on the supplied URL and address the problem. Failure to do so would result in the complaint resulting in a bad report being filed.

The URL here also directs the victim to a malicious site and has the potential for account credentials being stolen.

Fighting Back

This newest scam is the third of its kind in the last three months targeted at business owners.

Businesses have been instructed, by the BBB, to contact them directly if they receive emails claiming that they have received a negative complaint or that their information is incorrect or incomplete.

The Better Business Bureau is also taking steps to fight the problem, enlisting the help of the FBI.

“Our national organization in Arlington, Va. has been working for three months with the FBI, and I can tell you that they’ve closed down over 50 sites”, Katie Carrol, Director of Media Relations and Communications with the BBB, said.

They have also asked for business owners to help them fight this growing problem by contacting them at phishing@council.bbb.org if they received these emails, or any others like them.

IT departments should also be aware of this scam and take necessary precautions.

In house steps that can help prevent problems related to this latest attack, as well as others, include:

• Keeping anti-malware software up-to-date.
• Make sure anti-spam solutions are configured correctly and up-to-date.
• Make sure that employees are aware of this scam.
• Put procedures in place for employees who receive this email, or other spam messages, to report it.
• Teach employees how to better recognize spam and phishing attempts.