UPDATED: St. Louis, Mo., Jan. 23, 2012 - An email scam using the Better Business Bureau’s name and logo continues to proliferate across North America and beyond. The attacks began just before Thanksgiving and have continued off and on since then.
The New Email Scam
In the latest wave, emails have a subject line reading "BBB SBQ Form," followed by a series of numbers. Recipients are asked to click on a link to update their information with Better Business Bureau. The link supposedly leads to a form on BBB.org, but it really goes to a third party website that downloads a virus on to your computer.
In addition to the new wave of emails, the original version of the email scam is still out there. In this, recipients are told that a complaint has been filed against their business, and they need to respond by clicking on a link in the email. Again, the link takes them to a third-party website that infects their computer with a virus.
What to Do
Should you receive a suspicious email, don't click on any links. You can test the links by using your mouse to hover over them. The destination of the links will appear in a small pop up box next to the link or at the bottom of the screen. See screen shot below for an example. If the email is a scam, the website shown will not be a BBB.org URL.
After you have identified a scam, please forward the email to phishing@council.bbb.org and delete it from your inbox. Also, make sure your virus software is up to date.
Previous versions
Most of the first wave of emails included the BBB’s torch logo and come with the subject line: “Complaint from your customers.” The emails have a link or an attachment containing malicious phishing malware that steals information, often with devastating results.
Larry Andrus, a BBB board member in Western Michigan and CEO of Trivalent Group, Inc., said one of his firm’s clients narrowly averted a fund transfer after opening an attachment in one of the scam emails. The attachment launched malware that quickly found the accounting office’s computers, then accessed bank account numbers and passwords.
“We had to completely wipe the computers in order to contain the damage to our client,” said Dawn Simpson, Trivalent’s vice president of marketing and business development. Trivalent is a BBB Accredited Business that helps its clients manage, access, protect, and store their data.
The BBB has updated its advice for dealing with the malicious email and now recommends the following to anyone who receives the email:
- Do not open any attachments in suspicious emails.
- Do not click on any links.
- Delete the email from your inbox, then delete it again from your trash or recycling folder.
- Run a full system scan using reputable virus software.
Previously, the BBB had recommended running a full system scan only if the recipient had clicked on the link or opened the attachment. Due to the virulent nature of the virus, the new recommendation is for everyone who receives it to do a scan. In offices or homes that are networked, all computers should be scanned.
Chris Garver, chief information officer at the Council of Better Business Bureaus in Arlington, Va., recommends that all domain owners set up a sender policy framework (SPF) and set their spam filter to use it.
“Using the SPF standard helps fight spam and phishing attacks by allowing your email servers to verify whether an email is legitimate or not,” Garver said.
Microsoft offers a simple, four-step process for setting up an SPF: www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/.
If you receive an email saying your business has a complaint filed against it with the BBB, there are several things you can do to authenticate it:
- Look for typos, grammatical errors, etc. in the text that could indicate it originated overseas.
- Check to see who it says it is from. Complaints go out from local BBBs, not from the headquarters office.
- Hover your mouse over the link to see if its destination is really a bbb.org address.
- Copy and paste the link into Notepad (not Word). Notepad does not support html, so if the link is a fake bbb.org address, the real link will show up.
- If you still are not sure, go to www.bbb.org to find your local BBB, and send them a new email to ask if you have a complaint. Do not reply to the email you received or forward it to the BBB.
The Council of Better Business Bureaus is working with federal law enforcement agencies to identify the perpetrator of this fraud, and is also looking into other measures it can take to help prevent future phishing scams from spreading.
Contacts: Michelle Corey, President & CEO, 314-584-6800, mcorey@stlouisbbb.org, or Chris Thetford, Vice President-Communications, 314-584-6743 or 314-681-4719 (cell), communications@stlouisbbb.org
