When a small plumbing company in Monroe, Louisiana, got an email yesterday from BBB saying they’d had a complaint filed against them, they took it seriously. After all, the company is a BBB Accredited Business and the owner serves on the board of directors of BBB of Northeast Louisiana.

What they got, however, was much worse than a complaint from an unhappy customer. The email was a fake, a phishing scam that downloaded viruses on two of the small business’s computers, which had to be wiped clean in order to get rid of the malware infection. Fortunately for the plumbing company, the virus hadn’t had a chance to steal any banking information.

Unfortunately, small businesses and consumers across the country are falling victim to the latest phishing scam that exploits BBB’s trusted name. The campaign that started yesterday was the second biggest phishing scam in the country on Wednesday, according to the University of Alabama at Birmingham’s Spam Data Mine, one of the nation’s foremost computer forensics labs. SDM is assisting the Council of Better Business Bureaus in tracking phishing scams that use the BBB name.

The phishing emails – the fifth wave since Thanksgiving that uses the BBB’s name – uses BBB’s name and logo in an attempt to look like a notice of a newly filed complaint. The latest round includes a ZIP attachment, but that has not always been the case. Whether by an attachment or a link, the phishing emails attempt to trick the recipient into clicking and opening the “complaint,” which downloads malware onto their computer. The malware is designed to infect the computer and look for information such as bank account numbers and passwords in order to steal money from the recipients’ accounts.

If you receive an email that looks like it is about a BBB complaint:

1. Do NOT click on any links or attachments.
2. Read the email carefully for signs that it may be fake (for example, misspellings, grammar, generic greetings such as “Dear member” instead of a name, etc.).
3. Be wary of any urgent instructions to take specified action such as “Click on the link or your account will be closed.”
4. Hover your mouse over links without clicking to see if the address is truly from bbb.org.
5. Delete the email from your computer completely (be sure to empty your “trash can” or “recycling bin,” as well).
6. Run anti-virus software updates frequently and do a “full system scan.”
7. If you are not certain whether the complaint is legitimate, contact BBB (www.bbb.org/find).
8. Forward the email to phishing@council.bbb.org so that our security team can track the perpetrators.  If you receive a “bounce” message, there is no need to resubmit.

BBB of Southern Arizona also recommends that all businesses take steps to secure their data and the information they’ve collected on their customers. BBB’s “Data Security – Made Simpler”

Better Business Bureau of Southern Arizona is issuing an urgent scam alert cautioning Accredited Businesses about an email that is purporting to be from a bbb.org email address about a recently filed complaint.

The email contains a malicious link that appears to direct recipients to BBB’s website. This is a scam. If you receive an email from BBB concerning a complaint there will be no attachment, and the senders email address will always be info@tucson.bbb.org.

The newest email appears to come from a fake BBB employee, and a fake BBB email address- risk.manager@bbb.org- claiming that a complaint has been filed against the business and they have 14 days to respond to it.

From there, the email appears to direct the recipient to BBB’s website, but actually directs them to an outside link. This email is fraudulent and does not originate from BBB. The email attachment and link are malicious and we are strongly advising anyone who receives the email to not open or click them.

Should you receive such an email, please disregard its message and forward it to phishing@council.bbb.org. If you have clicked on the link, immediately do a virus scan. BBB lawyers are working to find out who is behind this and will take all appropriate action to protect its trademark.